Is FaceApp a Russian Spyware Trojan?
Updated: Sep 27, 2021
FaceApp is enjoying another viral moment fueled by celebrity selfies, while sparking dire warnings from security and privacy experts. Now politicians in Congress are calling for an investigation and the DNC ordered Democratic staffers to delete the app from their phones.
Is FaceApp being singled out unfairly? After all, most mobile are about as ethical as Stephen Colbert’s mythical PonyPoints app. Let’s look at five FaceApp media myths:
FaceApp puts your photos in the cloud and owns them.
TRUE: Photos you process with FaceApp are stored in a public cloud and FaceApp legally owns them.
HOWEVER: By default, most photos you take with your phone are stored in a cloud, if nothing else than for backup purposes. SnapChat stores photos on its servers.
FaceApp accesses all the photos in your phone.
FALSE: This stems from a misunderstanding about how Apple iOS works. On an iPhone, FaceApp appears to access your entire Photo Library, but in truth it only gets photos you explicitly choose.
TRUE: FaceApp’s Terms are unusually broad. They claim “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content."
HOWEVER: The fine print on many mobile apps gives them unfettered access to private data. Facebook, for example, asserts the right to "use your name and profile picture and information about actions you have taken on Facebook” for any purpose (e.g., targeted ads).
FaceApp gets access to everything on your phone.
FALSE: As discussed above, FaceApp doesn’t gain full Photo Library access (although it may appear to on iPhones). The current version doesn’t ask for user location data either.
HOWEVER: FaceApp does access a lot of stuff, including the phone’s camera, files, and network connection. Data is stored insecurely in an unencrypted database.
FaceApp is affiliated with Russian cyber military operations.
UNCLEAR. It’s true that FaceApp is based in Saint Petersburg, Russia, which is also home to the infamous Internet Research Agency. The app goes to some lengths to hide this fact (using a Russian subdomain of a US domain, through a Dutch ISP) which may be a red flag. Or not.
So is FaceApp spyware? Or a Trojan Horse?
Spyware pulls personal data from a device and transfers it elsewhere for purposes the end user may not fully understand or authorize. FaceApp does access your camera and take ownership of uploaded photos, but in many respects it’s less invasive than other popular mobile apps that not only grab photos but also locations. I'm looking at you, InstaGram.
Trojans perform hidden actions without the user’s awareness or approval, masked by behaviors or functionality that was expected and authorized. FaceApp may do things behind the scenes that users wouldn’t want, or may do so in the future, but so does every social media app. For example, tagging photos on Facebook helps them train their facial recognition AI. Did you really sign up for that?
The fear, uncertainty, and doubt (FUD) surrounding FaceApp seems to have more to do with its Russian connection than whether it’s a Spyware Trojan. People who happily give their life history to a well-known company in Silicon Valley are reticent to give it to an unknown company in St. Petersburg.
Let’s treat this as a teachable moment. Remind people worried about FaceApp they should take a hard look at the other apps on their phones, too.
(I’m indebted to fellow security researchers who have studied and tested FaceApp, including Eli Schlomo who shared his findings publicly.)
UPDATE 12/2/2019: The FBI formally classified FaceApp as a counterintelligence threat, primarily due to its Russia ties and St. Petersburg location.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.