When you open Duolingo to practice Spanish, BeReal to share a photo, or Character.AI to chat with a bot, you probably don't expect your battery level, storage capacity, and internal IP address to be sent to ByteDance, the company behind TikTok.
But that's exactly what's happening. And the encryption
Frankly I want the opportunity to peer into everything, or at least prevent all of it
It says it can’t be decrypted with passive means due to a proper ECDH key exchange, but if they are not doing any sort of verification that theor server sent or created the key, then it would be possible to do an active attack like MITM that manipulates the key exhcnage. What I mean is, your MITM proxy would substitute the real key with one that you have the keypair to and hand that to the target application. The target application then encrypts using the key you provide, your MITM proxy decrypts and reencrypts with the real key and all seems legit from both sides.
If there are server validation of some sort, signature checks or whatever, then it would require extra work like patching out or otherwise modifying those checks in the application, extracting the key from the application’s memory, or something like this.
I guess myvpoint is, if you’re motivated enough, you can make it happen.