Is this something that actually happens (= can anyone prove this by disassembling the app or MITMing the network traffic), or is it just unfounded paranoia?
Considering how easy it is to implement these things without anyone noticing since it's closed source, you have to assume it is happening in any scenario where you need any decent opsec. Even in scenarios where you don't, there's been enough cases of similar things happening with well-known apps and services to be wary.
> Considering how easy it is to implement these things without anyone noticing since it's closed source
You can reverse engineer those things and analyze your network traffic. You can’t have a client in a device controlled by the user, in this case an app, send anything to a server without anyone noticing it.
And frankly, they don’t even need it. Just with your contacts they can link you to your friends and common interests without even you having a facebook account, all you need is friends with a fb/ig account who have linked their accounts to their phones and use whatsapp.
The contacts are known to be sent to the server, they are known to be linked to facebook except in the european union where there is a different app from WhatsApp Ireland and a different privacy policy that specifically states (in the version outside of EU) that it shares your contacts with facebook and they are much more valuable and much less risky than reading your messages.
> You can reverse engineer those things and analyze your network traffic.
I frankly don't think people realize how much obfuscation of both app code and network traffic goes on under the hood. "analyzing network traffic" isn't a sustainable option when things are encrypted and behind dozens of layers of protobuf, websockets and other fancy protocols, and get updated and change around all the time. Far from everything is introspectable http, javascript and json these days, and that applies espeically to big apps like these. It's not hard to send privacy-sensitive data along with "legitimate" data like analytics at unexpected times and evade scrutiny.
Yes there's people that dedicate themselves to reverse engineering apps like this, but they're few and far between, and most of them focus on either the easy fish, or security vulns. Considering nobody's building public documentation on the protocols of these apps I'll have to assume it's hard enough and changes often enough to be worth the time of people without special monetary interests.
I agree with the rest of your assessment, there's way less "obviously malicious" ways to exfiltrate data about users than literally uploading users' pictures, since for example whatsapp stored unencrypted backups on google drive until very recently, among other things. I'm just trying to shed a light on the fact that apps like this have a lot of ways to accomplish this without raising too many eyebrows.
It shoukd be easy to test since Ios has a feature called app privacy report that lists networks and permission access and no when you just open the instagram app it does not access photos. Only when you open add to story page or click on the new post icon it does the access.
I imagine the reputational and potential legal consequences would be fairly severe if this sort of privacy invasion were discovered (either by employee leak or reverse engineering). Seems unlikely Meta would take a risk like this.
