Facebook scans system libraries on Android and uploads them to their server

I was going to say this isn’t a big deal but copying and uploading the libraries is actually illegal (copyright violation) and users likely can’t even consent to this even if it is in the Facebook ToS as many android phones contain proprietary libraries not licensed for redistribution.<p>The creators of those various libraries should have a valid legal case against Facebook here, if they want to exercise it. I doubt any users are being harmed by this but it’s a violation of the software creator’s rights.

I&#x27;d expect that they&#x27;re doing this because they&#x27;d like to diagnose crashes or bugs on systems that they don&#x27;t have the hardware for. It&#x27;s still somewhat creepy and possibly a fingerprinting mechanism.

How does the internal culture at FB come to grips with the world&#x27;s vision of them as creepy and amoral and still do stuff like this anyway?

Isn’t this potentially a copyright violation?<p>Especially on Qualcomm devices (such as the Jolla phone) Qualcomm explicitly forbids you from distributing their OpenGL drivers. So if facebook copies libGLESv2.so off from the device they are potentially performing straight piracy at that point.<p>If I recall the damages demanded by RIAA it was several hundred k per infringement.

As someone who’s built my company’s mobile crash reporting solution, I have a guess why they might do this.<p>It’s is extremely difficult to diagnose Android native code crashes. Unlike iOS where it is both straightforward to unwind on the phone, and where Apple makes the iOS system symbols available for symbolizing system frames in a stack trace, neither of these things are true on Android.<p>My first approach for my company’s Android crash manager SDK was to use Google Breakpad. This works by capturing a snapshot of stack memory at the time of the crash. Unwinding then occurs on a backend server. But to unwind successfully, absent a frame pointer register, you need unwind info to provide to the unwinder. This simply isn’t available except for Nexus devices for which you can download the system images from Google. And even on devices where the code was compiled with a frame pointer, you still need symbols so you know what each frame’s function was.<p>Another approach is to unwind on the device. In my experience, using libunwind, this is successful about 50% of the time. It also risks hanging the app, which looks even worse to the user than just crashing.<p>Years ago, I briefly considered having our crash SDK, optionally and with user consent, extract the symbols and unwind data from the libraries on the device and upload them to our backend. I dismissed it as too expensive to do on a user’s phone.<p>Instead, we crowd source as much as we can from our employee phones.<p>Android native code crashes remain a bear to diagnose. Especially annoying since Android itself collects a ton of diagnostic data about your app when it crashes - it just doesn’t make it easily, or in some cases at all, accessible to the app itself.

How the bloody hell is it <i>permitted</i> for <i>apps</i> to be uploading <i>system</i> files?<p>This wouldn&#x27;t be possible in Linux, right?<p>Basically, this is malware.<p>Edit: Thanks, all. So OK, I get that it&#x27;s possible, because apps have read and execute permissions for all libraries that they use.<p>But it&#x27;s not common for apps to upload system files, right?

It&#x27;s not my business, as I don&#x27;t use the FB app --and I won&#x27;t. But even if the original intent was to help the debugging process, this is not acceptable. This is, to put it plainly, copying files from a user&#x27;s device, without the user&#x27;s consent.<p>FB has the means (resources) to route around this and find the ways to properly debug apps.<p>I hope this would find its way to Google Play blocking the app and a class action lawsuit. It&#x27;s the only fair outcome.

Why is this bad? Don’t most error reporting libraries send this sort of metadata with exception stacktraces? I would think this falls under the usual “improving the quality of the app” language in nearly everybody’s EULA.

Exfiling a file off my device w&#x2F;o my consent is... hopefully against Android&#x27;s ToS? Looking to see if FB gets banned from Google Play....

One reason to do this would be to discover what other apps the user has on their device which may not be detectable by other methods. That is valuable business intelligence that could be used in various ways for maintaining a competitive advantage. I got this idea from this reply:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;nial_26&#x2F;status&#x2F;1167464788667928576" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;nial_26&#x2F;status&#x2F;1167464788667928576</a>

That&#x27;s what I expected when I installed the app. Just kidding, I would never install the app.

Just deleted Facebook, this one is too much.

To the extent that Facebook has any utility at all, it works fine on a mobile web browser and when you close the tab it&#x27;s gone. Why does anyone install the app?

Aside from fingerprinting, what other nefarious uses could this have in theory?

Yikes. Does Facebook even try to not be creepy?!?

i was looking around to find lore regarding sandboxing android apps, so far i found this interesting:<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;androidapps&#x2F;comments&#x2F;5n7ak9&#x2F;any_app_to_sandbox_another_android_apps_for&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;androidapps&#x2F;comments&#x2F;5n7ak9&#x2F;any_app...</a><p>And this too:<p><a href="https:&#x2F;&#x2F;www.gtricks.com&#x2F;android&#x2F;how-to-sandbox-android-apps-for-privacy&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.gtricks.com&#x2F;android&#x2F;how-to-sandbox-android-apps-...</a>

This cannot be for feature detection. Are they looking for exploits?

If the company leaders and employees have any integrity left, they should quit their jobs and do something that&#x27;s actually worth doing for humanity and mankind.

We should create a &quot;privacy hall of shame&quot; (I was tempted to call it the &quot;privacy offender registry&quot;) and list the names of all the employees who work on these features, along with an easy-to-read blurb which explains how the feature could be misused. Bonus points for linking to their social profile. If you cannot find the actual person, go up the org chart and list the person closest on the hierarchy.<p>Not that it is going to matter, any more than you can dissuade members of a cult by telling them they should forego their membership. It just seems to bring the cult closer together.

I find it unsettling in general that some app has the ability to do this. What are our other apps up to?<p>How good is the sand boxing on iOS?

Wonder if they&#x27;re also doing creepy stuff with the other apps they bought (Instagram, Whatsapp)

Android is the Windows of mobile: anything goes, in terms of both user tweaking and sketchy apps.

Facebook is validating my decision to not install their apps.

Which android permission does this fall under I wonder?

You reckon this facespace thing will ever catch on?

how was she able to capture &#x2F; sniff those HTTP posts? Any kind of sniffer would just get encrypted SSL data...

Data charges?

MISLEADING HEADLINE : Facebook is only copying meta data about the libraries.<p>THIS is a good thing.