
Facebook scans system libraries on Android and uploads them to their server - Browun
https://twitter.com/wongmjane/status/1167463054709334017?s=12
======
wongmjane
Previous discussion:

[https://news.ycombinator.com/item?id=20839689](https://news.ycombinator.com/item?id=20839689)

------
js2
As someone who’s built my company’s mobile crash reporting solution, I have a
guess why they might do this.

It’s is extremely difficult to diagnose Android native code crashes. Unlike
iOS where it is both straightforward to unwind on the phone, and where Apple
makes the iOS system symbols available for symbolizing system frames in a
stack trace, neither of these things are true on Android.

My first approach for my company’s Android crash manager SDK was to use Google
Breakpad. This works by capturing a snapshot of stack memory at the time of
the crash. Unwinding then occurs on a backend server. But to unwind
successfully, absent a frame pointer register, you need unwind info to provide
to the unwinder. This simply isn’t available except for Nexus devices for
which you can download the system images from Google. And even on devices
where the code was compiled with a frame pointer, you still need symbols so
you know what each frame’s function was.

Another approach is to unwind on the device. In my experience, using
libunwind, this is successful about 50% of the time. It also risks hanging the
app, which looks even worse to the user than just crashing.

Years ago, I briefly considered having our crash SDK, optionally and with user
consent, extract the symbols and unwind data from the libraries on the device
and upload them to our backend. I dismissed it as too expensive to do on a
user’s phone.

Instead, we crowd source as much as we can from our employee phones.

Android native code crashes remain a bear to diagnose. Especially annoying
since Android itself collects a ton of diagnostic data about your app when it
crashes - it just doesn’t make it easily, or in some cases at all, accessible
to the app itself.

~~~
lugg
This is clearly not for crash reporting. They're sucking up libs to figure out
what apps their users use.

Could be a few reasons, could be boring metrics, could be anticompetitive
identification of acquisition targets, could be oppo research, could be user
profiling.

None of these things I'm ok with Facebook getting off my phone.

~~~
Shish2k
> They're sucking up libs to figure out what apps their users use.

Hypothesis 1, debugging: requires full copies of system libraries

Hypothesis 2, fingerprinting: requires hashes of application libraries

Evidence: full copies of system libraries are being uploaded

How are you using that evidence to be so confident in hypothesis 2 and
confidently against hypothesis 1?

~~~
number6
Hypothesis 3: they do both

------
0x0
If the actual files are uploaded(?), doesn't this constitute reverse software
piracy? Under what license are the uploaded files covered by? Can facebook
require the end users to supply the source code for GPL-licensed library
binaries uploaded through this system? What about proprietary oem blobs that
are often covered by a no-redistribution license or EULA? What if I am an AOSP
or vendor developer working on unreleased R&D next-version Android?

~~~
amelius
Nice angle but I guess the defense is that the user explicitly gave Facebook
permission to read those files.

~~~
rocqua
If I buy a book, I'm allowed to read that book, but I am not allowed to copy
it.

~~~
spunker540
You are allowed to copy it, you just can’t sell copies of it.

~~~
EarthMephit
You are not allowed to copy it, or sell copies of it

Under fair-use laws (which vary country to country), you can usually copy a
small portion of the work for non-profit educational use

[https://en.wikipedia.org/wiki/Fair_use](https://en.wikipedia.org/wiki/Fair_use)

------
buildzr
Okay what is the purpose of this even?

Sure, everyone is going to talk about fingerprinting, but let's face it, there
are way easier and more reliable methods of doing that than system libraries
that mostly match between same devices.

Must be for some sort of debugging? Still seems insane...

~~~
londons_explore
There are hundreds of thousands of variants of android phones.

Facebook wants their app to work on all of them, but cant track down all of
those physical devices.

Instead, I bet they load all the libraries into a big test bench and check all
features of the app work with all possible hardware.

It wouldn't be perfect, since I bet many of those libraries rely on custom
system services, kernel interfaces, etc, but I bet it helps them track down a
bunch of issues before they impact real users.

------
arien
What about the Instagram and WhatsApp apps? Do they behave the same way?

~~~
FeatureIncomple
I'm really interested in an answer for this question, since WhatsApp is the
only Facebook app I have installed/keep an account.

Unfortunately, _everyone_ uses WhatsApp in Brazil, and very few people uses
Telegram, for example. This makes it kinda impossible to be Facebook-free
here.

------
z3t4
Apps should be statically linked and the kernel should not allow any access to
the hdd or fs. Where you have to opt in to what folders the app is able to
read or write to. Same for network access and any other hardware, camera, mic,
etc.

~~~
londons_explore
Frequently those static libraries provide device-specific functionality. For
example, the Jpeg decompressor on my phone uses custom silicon, and is a
systemwide shared library.

~~~
heavenlyblue
Is there any way to make memory pages executable, but not readable?

~~~
wongarsu
Kernel modules are executable, but not readable (by userspace processes). Or
just have it in a different process and talk over IPC.

------
pbhjpbhj
Wouldn't they just hash the libraries, surely they can get copies by legal
means, like buy "a few" phones?

------
tanilama
How does this pass through their legal team?

~~~
solarkraft
I suspect they don't run anything through their legal team, only ask them to
help after they've fucked up.

This has the advantage of getting away with things the legal team would advise
against, which I think they do a lot.

~~~
tanilama
If that is true...This is a culture inbreeding disaster...

------
gothack
Another reason I'm glad I quit

~~~
ulfw
Both. No point using an operating system that is a malware and privacy
nightmare, just so I can fiddle with it more. It's not a computer, it's just a
phone.

And no point using Facebook, really. Still with Whatsapp (and passively
Instagram) as my friends are massively on those.

~~~
leggomylibro
Whatsapp and Instagram _are_ Facebook. The same company owns and runs all
three.

~~~
ulfw
I am well aware of that. Thus I mentioned I am still with those apps
(involuntarily). So still with Facebook Inc, but not Facebook.com/App

------
cstross
How is this not utterly illegal in the EU, per GDPR? (Which was drafted to
stop indiscriminate data acquisition on human subjects: I'm assuming that
metadata about the core libraries on your phone, in conjunction with FB's user
metadata, are trivially de-anonymizable.)

~~~
shawnz
How does this provide any more data for fingerprinting than just checking the
model of the phone?

~~~
brador
Harder to spoof, less likely to be faked, plus additional meta information.

~~~
shawnz
For starters, I'm not convinced it would be harder to spoof that than the
library information (which also seems pretty easy to spoof if not easier).

But even if that were the case, why would they spend this level of engineering
effort just to be able to fingerprint people in that extremely rare case of
having a spoofed phone model? Do you think that kind of customer would even be
receptive to targeted ads in the first place? It just doesn't make sense to
me.

~~~
brador
Tracking value increases with rarity. Data is packaged and sold, not simply
stored and empty cells can go for crazy money if the target is hot enough.

How much would you pay for Elons verified personal number?

------
amelius
Fingerprinting on steroids?

~~~
Nextgrid
It's copying the actual libraries, so it's more like cutting off actual
fingers rather than just taking the prints.

~~~
anandchowdhary
Maybe more like making a copy of your fingers and keeping them while leaving
your actual fingers intact.

------
namanaggarwal
This is pretty bad.

------
IloveHN84
What about the breaking of GDPR as well?

