
Facebook scans system libraries on Android and uploads them to their server - akalin
https://twitter.com/wongmjane/status/1167463054709334017
======
javagram
I was going to say this isn’t a big deal but copying and uploading the
libraries is actually illegal (copyright violation) and users likely can’t
even consent to this even if it is in the Facebook ToS as many android phones
contain proprietary libraries not licensed for redistribution.

The creators of those various libraries should have a valid legal case against
Facebook here, if they want to exercise it. I doubt any users are being harmed
by this but it’s a violation of the software creator’s rights.

~~~
dmitrygr
Some older android devices running newer lineage/AICP/etc builds include a few
libraries I wrote (in their entirety) for compatibility of old vendor
prebuilts with new android versions - libdgv1 & libdmitry. Maybe I should C&D
FB for laughs?

~~~
gpm
Are they closed source? I.e. does facebook not have a license to make copies
of them?

~~~
dmitrygr
source avail != anyone can make copies of the binary

~~~
tempay
Even with a “standard” open source licence the copyright notice probably isn’t
being included in the upload making it a violation of most licences.

------
saagarjha
I'd expect that they're doing this because they'd like to diagnose crashes or
bugs on systems that they don't have the hardware for. It's still somewhat
creepy and possibly a fingerprinting mechanism.

~~~
CaptainZapp
Your assessment would be reasonable whth just about any company.

But Facebook? Not so much.

~~~
coding123
Agreed. This is about how the phone number thing went "for security". I think
a lot of people believed FB was using it just for security but in reality they
were trying to find more connections, possible friends, tie you to an
identity. A real citizen of a country - which is one of their products. I
would suspect this is like browser fingerprinting.

------
annadane
How does the internal culture at FB come to grips with the world's vision of
them as creepy and amoral and still do stuff like this anyway?

~~~
JustSomeNobody
That culture has been built up over years. And probably most of the people
they hire don't have the life experiences that would give them pause and allow
them to consider or even recognize if what they're tasked to do is creepy or
not.

~~~
funkymike
Not at FB but just doing enterprise software development I've had to explain
to other developers that capturing and storing user info just because we can
is in the "not okay" category. There are plenty of people who don't even
consider ethics at work. They get a feature request, so they deliver it, with
no second thoughts. These aren't bad people per se, it just doesn't occur to
them to question the reasons for a request or what the end result is within a
larger context.

~~~
godelski
I think this is because people don't see the value of data. I've also heard a
lot of justification about people saying "well my individual data isn't worth
anything" but also being freaked out by ads they get. I'm always confused by
this juxtaposition. But I guess there's similar stances in a lot of places in
our culture right now.

------
sharpneli
Isn’t this potentially a copyright violation?

Especially on Qualcomm devices (such as the Jolla phone) Qualcomm explicitly
forbids you from distributing their OpenGL drivers. So if facebook copies
libGLESv2.so off from the device they are potentially performing straight
piracy at that point.

If I recall the damages demanded by RIAA it was several hundred k per
infringement.

~~~
JaRail
The exact details would depend on what they do with the uploads and the
specific countries they're uploaded to/from. I'd presume they do this for
security and debugging purposes, not to 'steal' the libraries. Like a virus
company uploading samples of 'suspicious' .dlls for analysis, this looks like
a fair use exception.

~~~
evilDagmar
It's not a fair use exception because Facebook is not the party involved in
the copyright agreement. They're a completely separate third party so they
don't have any rights at all to those files.

------
js2
As someone who’s built my company’s mobile crash reporting solution, I have a
guess why they might do this.

It’s is extremely difficult to diagnose Android native code crashes. Unlike
iOS where it is both straightforward to unwind on the phone, and where Apple
makes the iOS system symbols available for symbolizing system frames in a
stack trace, neither of these things are true on Android.

My first approach for my company’s Android crash manager SDK was to use Google
Breakpad. This works by capturing a snapshot of stack memory at the time of
the crash. Unwinding then occurs on a backend server. But to unwind
successfully, absent a frame pointer register, you need unwind info to provide
to the unwinder. This simply isn’t available except for Nexus devices for
which you can download the system images from Google. And even on devices
where the code was compiled with a frame pointer, you still need symbols so
you know what each frame’s function was.

Another approach is to unwind on the device. In my experience, using
libunwind, this is successful about 50% of the time. It also risks hanging the
app, which looks even worse to the user than just crashing.

Years ago, I briefly considered having our crash SDK, optionally and with user
consent, extract the symbols and unwind data from the libraries on the device
and upload them to our backend. I dismissed it as too expensive to do on a
user’s phone.

Instead, we crowd source as much as we can from our employee phones.

Android native code crashes remain a bear to diagnose. Especially annoying
since Android itself collects a ton of diagnostic data about your app when it
crashes - it just doesn’t make it easily, or in some cases at all, accessible
to the app itself.

------
mirimir
How the bloody hell is it _permitted_ for _apps_ to be uploading _system_
files?

This wouldn't be possible in Linux, right?

Basically, this is malware.

Edit: Thanks, all. So OK, I get that it's possible, because apps have read and
execute permissions for all libraries that they use.

But it's not common for apps to upload system files, right?

~~~
prongletown
>This wouldn't be possible in Linux, right?

If you have read access, then yes. Conventional desktop and server linux
distributions would allow this behavior. As does android. Good luck using
dylibs without it, anyways.

Since the android market is so fragmented and customized, this probably saves
them from having to buy lots of phones when diagnosing crashes.

The knee-jerk reaction is to feel uncomfortable but these are system files,
shipped with the phone, that are accessible to anyone who purchases the phone.
This saves FB the trouble of spending $200 every time a new OS update comes
out. Personally, with that knowledge, I don't have a problem with this -
however, I have a ton of problems with other stuff FB does so I'm happy to
keep not using their service.

~~~
_bxg1
> If you have read access, then yes. Conventional desktop and server linux
> distributions would allow this behavior.

The difference is in people's expectations of mobile vs. desktop apps. You'd
never install untrusted software on your desktop, but mobile OSes provide the
sense that software is isolated. In Android, that's mostly an illusion.

~~~
feanaro
I feel like users install untrusted software on the desktop all the time and
it's called closed source software.

It's not like Facebook is some small, unknown malware peddler so that its
software should be considered "untrusted". If anything, it's untrusted because
it's coming from a scummy company and opaque (due to being closed source).

~~~
_bxg1
You're right that it being from Facebook makes things a little different. At
the same time, I've never _needed_ to install a native desktop app from
Facebook and I'd have some suspicion about doing so if such a thing existed,
for exactly this reason.

------
ahachete
It's not my business, as I don't use the FB app --and I won't. But even if the
original intent was to help the debugging process, this is not acceptable.
This is, to put it plainly, copying files from a user's device, without the
user's consent.

FB has the means (resources) to route around this and find the ways to
properly debug apps.

I hope this would find its way to Google Play blocking the app and a class
action lawsuit. It's the only fair outcome.

------
wrs
Why is this bad? Don’t most error reporting libraries send this sort of
metadata with exception stacktraces? I would think this falls under the usual
“improving the quality of the app” language in nearly everybody’s EULA.

~~~
ErikAugust
It doesn't just send a list of libraries, it actually uploads the libraries
[1].

You seriously think that's a good use of bandwidth?

[1]
[https://twitter.com/wongmjane/status/1167463077748436993?s=2...](https://twitter.com/wongmjane/status/1167463077748436993?s=20)

~~~
wrs
Given the Wild West nature of Android, there may be no other possible way to
get that version of that system library to debug something.

~~~
ErikAugust
I would have to hope that uploads are only triggered if the hash in the
metadata wasn't found in their massive store of libraries.

------
camgunz
Exfiling a file off my device w/o my consent is... hopefully against Android's
ToS? Looking to see if FB gets banned from Google Play....

------
calhoun137
One reason to do this would be to discover what other apps the user has on
their device which may not be detectable by other methods. That is valuable
business intelligence that could be used in various ways for maintaining a
competitive advantage. I got this idea from this reply:

[https://twitter.com/nial_26/status/1167464788667928576](https://twitter.com/nial_26/status/1167464788667928576)

~~~
tgsovlerkhgsel
Doubt it - if it's system libraries, I'd expect them to be immutable outside
system updates.

I would expect them to potentially grab the list of apps separately from that
though (Some Ad SDKs do that, not sure if Facebook also does it -
[https://www.androidauthority.com/sdk-invasion-a-privacy-
thre...](https://www.androidauthority.com/sdk-invasion-a-privacy-
threat-803262/))

------
thsealienbstrds
That's what I expected when I installed the app. Just kidding, I would never
install the app.

------
kamyarg
Just deleted Facebook, this one is too much.

------
bt848
To the extent that Facebook has any utility at all, it works fine on a mobile
web browser and when you close the tab it's gone. Why does anyone install the
app?

~~~
beatgammit
I don't use Facebook, but mobile apps tend to add features compared to the web
app, such as notifications, integration with other apps (e.g. contacts), and a
cleaner UX.

That being said, even if I used Facebook, there's no way I'd install their app
because I don't trust them.

~~~
ppseafield
Indeed mbasic.facebook.com works, but it doesn't look as good and doesn't
support message notifications. It's a trade-off I'll take for now, but not
everyone will.

------
fareesh
Aside from fingerprinting, what other nefarious uses could this have in
theory?

~~~
w3rhn2j34oh5o
Grabbing rootkit artifacts that could be on the device?

Its just that its not Facebooks place to do this. I wouldn't expect a app
linux binary to upload the contents of /usr/lib, or a windows app to start
sending system32 dll's off system.

FB can try to sell this as a 'lite-AntiVirus' type service, but that is not
its place. There is no indication the app is doing this. Its FB being creepy
as usual.

If Google did it, it would be less creepy, just like how Microsoft can grab
malicious files detected by Defender -- but they write, support and protect
the OS! FB is just an app. It shouldn't be harvesting its users operating
system files!

~~~
evilDagmar
Google already does what people are spewing apologetics about as justification
for Facebook's behaviour, but they do it the _right_ way.

Google's SafetyNet scans the system files, but it looks for _specific_ files
that should not be there and ensures that certain files that must remain
unaltered actually remained unaltered to ensure that the security model is
still intact, so it doesn't need to violate copyright laws by stealing copies
of files off the user's phone without permission or user awareness.

...and funny that you mention Windows Defender because it repeatedly advises
the user that it might upload files to Microsoft and asks for their approval
for doing so at multiple points. Microsoft is being perfectly transparent
about what they're doing and giving users the ability to opt-out. They're also
the people who make the entire operating system so they've got an obligation
to try real hard to prevent another Blaster incident. Facebook just makes a
social media app.

------
19ylram49
Yikes. Does Facebook even try to not be creepy?!?

------
rolph
i was looking around to find lore regarding sandboxing android apps, so far i
found this interesting:

[https://www.reddit.com/r/androidapps/comments/5n7ak9/any_app...](https://www.reddit.com/r/androidapps/comments/5n7ak9/any_app_to_sandbox_another_android_apps_for/)

And this too:

[https://www.gtricks.com/android/how-to-sandbox-android-
apps-...](https://www.gtricks.com/android/how-to-sandbox-android-apps-for-
privacy/)

~~~
saagarjha
As other commenters have mentioned, traditional sandboxing mechanisms would do
little here. Applications are always given read access to system libraries
because they need them to function.

~~~
rolph
im thinking about how we get to non traditional sandboxing

~~~
saagarjha
Here's a stupid idea I had elsewhere in the comments:
[https://news.ycombinator.com/item?id=20840466](https://news.ycombinator.com/item?id=20840466)

~~~
rolph
i think one of the biggest nuts to crack is that end user is in app space and
cant black list apps [such as FB] from system procs and resources. If we could
sniff and/or hook for requests to read the entire library all at once, or for
such a request from a particular app, and ~pihole it or give it a honeypot to
suck on for data.

------
eurasiantiger
This cannot be for feature detection. Are they looking for exploits?

------
riyakhanna1983
If the company leaders and employees have any integrity left, they should quit
their jobs and do something that's actually worth doing for humanity and
mankind.

------
bubble_talk
We should create a "privacy hall of shame" (I was tempted to call it the
"privacy offender registry") and list the names of all the employees who work
on these features, along with an easy-to-read blurb which explains how the
feature could be misused. Bonus points for linking to their social profile. If
you cannot find the actual person, go up the org chart and list the person
closest on the hierarchy.

Not that it is going to matter, any more than you can dissuade members of a
cult by telling them they should forego their membership. It just seems to
bring the cult closer together.

~~~
wilg
This is called "Doxing"[1] and it's a form of harassment and a violation of
privacy.

[1]
[https://en.wikipedia.org/wiki/Doxing](https://en.wikipedia.org/wiki/Doxing)

------
jammygit
I find it unsettling in general that some app has the ability to do this. What
are our other apps up to?

How good is the sand boxing on iOS?

~~~
saagarjha
Sandboxing on iOS would not stop this sort of thing. Not that this would be
useful on iOS, some all the libraries are combined into one file, mapped into
every process, and easy to grab from a firmware image. (I guess this could be
useful if you’re trying to debug something on an internal install?)

------
aledalgrande
Wonder if they're also doing creepy stuff with the other apps they bought
(Instagram, Whatsapp)

------
_bxg1
Android is the Windows of mobile: anything goes, in terms of both user
tweaking and sketchy apps.

------
schwede
Facebook is validating my decision to not install their apps.

------
ProAm
Which android permission does this fall under I wonder?

~~~
lkhhj
None, libraries are readable by any process, as they should.

~~~
ProAm
Reading yes, executing yes, reading for the sole purpose to upload to a remote
server?.... barf and egregious

~~~
longcommonname
How would you enforce your ideal scenario?

------
sova
You reckon this facespace thing will ever catch on?

------
fnord77
how was she able to capture / sniff those HTTP posts? Any kind of sniffer
would just get encrypted SSL data...

~~~
mdavidn
The major HTTP proxy debuggers all support MitM of TLS traffic using a
locally-generated CA trusted by the device.

~~~
fnord77
thanks. I was imagining using wireshark and just getting garble

------
a3n
Data charges?

------
KorematsuFred
MISLEADING HEADLINE : Facebook is only copying meta data about the libraries.

THIS is a good thing.

~~~
aloknnikhil
No it's not. They're compressing the libraries and sending them all upstream.
They're also eating into data caps (probably they're doing this only over Wi-
Fi) let alone flouting all kinds of copyright laws

