Twitter | Search | |
Jane Manchun Wong
Facebook scans system libraries from their Android app user’s phone in the background and uploads them to their server This is called "Global Library Collector" at Facebook, known as "GLC" in app’s code It periodically uploads metadata of system libraries to the server
Reply Retweet Like More
Jane Manchun Wong 30 Aug 19
Replying to @wongmjane
Facebook’s Android app fetches metadata of the system libraries that hasn’t yet been uploaded in the background From Facebook’s server, I found they have already collected metadata of 2233 system libraries from my phone, in which 1162 system libraries are pending to be uploaded
Reply Retweet Like
Jane Manchun Wong 30 Aug 19
Replying to @wongmjane
Facebook can upload the entire files of all system libraries to their server through their Android apps The app compresses each system library file using gzip and uploads them to server Interestingly, the files are uploaded to a specific collection that’s related to my phone
Reply Retweet Like
Jane Manchun Wong 30 Aug 19
Replying to @wongmjane
There doesn’t seem to be an opt-out option for Facebook Global Library Collector, nor does it not seem to be possible to view what they have uploaded from our devices Not sure what’s the purpose of GLC, but I guess it can be used for determining system integrity, compatibility
Reply Retweet Like
Jane Manchun Wong 31 Aug 19
Replying to @wongmjane
When I came across this, the optimist in me thinks this is an unorthodox way to gather data for debugging, optimizations, sec, etc Somewhere in my mind thinks this is a little off Thank you for pointing out the aspects I didn't think of before! This is certainly a can of worm..
Reply Retweet Like
Jane Manchun Wong 31 Aug 19
Replying to @wongmjane
If GLC is created to help to make the app runs better, I think an engineering blog explaining GLC, or other ways to transparently elaborate what Facebook app can collect could clear up some speculations :) Even better, it will be reassuring to provide an opt-out option from GLC
Reply Retweet Like
Jane Manchun Wong 31 Aug 19
Replying to @wongmjane
For example, Google arguably does a similar scanning with Play Protect (and SafetyNet) They inform users what have scanned, options to opt-out, and a help page explaining how Google thinks it's beneficial This could be a good case study for FB :)
Reply Retweet Like
Jane Manchun Wong 31 Aug 19
Replying to @wongmjane
If you're developing some groundbreaking Android device or ROM that contains the system libraries that are meant to be confidential, you should not test it with apps that scans and uploads metadata of system libraries Or at least test it isolated from the internet
Reply Retweet Like
Jane Manchun Wong 1 Sep 19
Replying to @wongmjane
I kept seeing some misconceptions that twists the meaning of my find: This is only found in Facebook's main Android app, not Messenger, not Instagram, not WhatsApp, not any third party apps that use their SDK There are parts of the Graph API that only Facebook's app can access
Reply Retweet Like
Jane Manchun Wong 1 Sep 19
Replying to @wongmjane
The code I'm focusing here only access the system libraries, which is not necessarily generated by users This code is not created to scan your personal photos, etc. It only scans the libraries
Reply Retweet Like
Jane Manchun Wong 1 Sep 19
Replying to @wongmjane
"System libraries" are the components of the system on your phone. They are pieces of programs that are meant to be used to provide functionalities for other programs, such as apps "System libraries" are not your personal photos!
Reply Retweet Like
Jane Manchun Wong 1 Sep 19
Replying to @wongmjane
If you reduce the tweet into "Facebook scans and uploads everything", it will no longer have the same meaning anymore! I included the other parts in the sentence to specify important info. It's not there to fill up space
Reply Retweet Like