Conversation

What the actual fuck? How is this not a violation of my privacy expectations, and how is this justified?

Quote Tweet

Aug 30, 2019

Facebook scans system libraries from their Android app user’s phone in the background and uploads them to their server This is called "Global Library Collector" at Facebook, known as "GLC" in app’s code It periodically uploads metadata of system libraries to the server

Show this thread

336

767

This Tweet was deleted by the Tweet author. Learn more

Replying to

and

Apps can obviously read the system libraries that are part of the public API on iOS too. Why not retract the clearly false and uninformed statement? Leaving it up to mislead people while knowing that it's so clearly wrong is dishonest. There's definitely a strong app sandbox.

Replying to

The SELinux policy has to go out of the way to mark libraries that are part of the public API as accessible to apps. There are out-of-band updates to libraries via apks too, but they'll always end up near the latest version and those have verified boot too. It's not identifying.

Replying to

I don't know why you claim that apps have read access to everything. They have read access to very little. They can access an extremely tiny subset of /proc (a subset of information for their own processes), essentially none of /sys (a couple specific APIs), none of debugfs, etc.

Replying to

Can't read most of the system / vendor image but that's not at all helpful for privacy. They just aren't given access to things they don't explicitly need because it would allow them to develop dependencies on a bunch of non-public APIs. OS is signed and verified not varying.

8:26 PM · Aug 31, 2019Twitter Web App

Replying to

There's a vbmeta image that's signed and has hashes of every OS partition. Hash of vbmeta (which has hashes of everything else, so it's a hash of the entire OS) is public knowledge and given to apps as part of features like attestation. No point of looking at libraries for that.