Twitter | Search | |
Jane Manchun Wong
Facebook scans system libraries from their Android app user’s phone in the background and uploads them to their server This is called "Global Library Collector" at Facebook, known as "GLC" in app’s code It periodically uploads metadata of system libraries to the server
Reply Retweet Like More
Jane Manchun Wong Aug 30
Replying to @wongmjane
Facebook’s Android app fetches metadata of the system libraries that hasn’t yet been uploaded in the background From Facebook’s server, I found they have already collected metadata of 2233 system libraries from my phone, in which 1162 system libraries are pending to be uploaded
Reply Retweet Like
Jane Manchun Wong Aug 30
Replying to @wongmjane
Facebook can upload the entire files of all system libraries to their server through their Android apps The app compresses each system library file using gzip and uploads them to server Interestingly, the files are uploaded to a specific collection that’s related to my phone
Reply Retweet Like
Jane Manchun Wong Aug 30
Replying to @wongmjane
There doesn’t seem to be an opt-out option for Facebook Global Library Collector, nor does it not seem to be possible to view what they have uploaded from our devices Not sure what’s the purpose of GLC, but I guess it can be used for determining system integrity, compatibility
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @wongmjane
When I came across this, the optimist in me thinks this is an unorthodox way to gather data for debugging, optimizations, sec, etc Somewhere in my mind thinks this is a little off Thank you for pointing out the aspects I didn't think of before! This is certainly a can of worm..
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @wongmjane
If GLC is created to help to make the app runs better, I think an engineering blog explaining GLC, or other ways to transparently elaborate what Facebook app can collect could clear up some speculations :) Even better, it will be reassuring to provide an opt-out option from GLC
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @wongmjane
For example, Google arguably does a similar scanning with Play Protect (and SafetyNet) They inform users what have scanned, options to opt-out, and a help page explaining how Google thinks it's beneficial This could be a good case study for FB :)
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @wongmjane
If you're developing some groundbreaking Android device or ROM that contains the system libraries that are meant to be confidential, you should not test it with apps that scans and uploads metadata of system libraries Or at least test it isolated from the internet
Reply Retweet Like
Jane Manchun Wong Sep 1
Replying to @wongmjane
I kept seeing some misconceptions that twists the meaning of my find: This is only found in Facebook's main Android app, not Messenger, not Instagram, not WhatsApp, not any third party apps that use their SDK There are parts of the Graph API that only Facebook's app can access
Reply Retweet Like
Jane Manchun Wong Sep 1
Replying to @wongmjane
The code I'm focusing here only access the system libraries, which is not necessarily generated by users This code is not created to scan your personal photos, etc. It only scans the libraries
Reply Retweet Like
Jane Manchun Wong Sep 1
Replying to @wongmjane
"System libraries" are the components of the system on your phone. They are pieces of programs that are meant to be used to provide functionalities for other programs, such as apps "System libraries" are not your personal photos!
Reply Retweet Like
Jane Manchun Wong Sep 1
Replying to @wongmjane
If you reduce the tweet into "Facebook scans and uploads everything", it will no longer have the same meaning anymore! I included the other parts in the sentence to specify important info. It's not there to fill up space
Reply Retweet Like
Dr.House, M.D. Aug 30
Replying to @wongmjane
Does this occur only if using their app or even the web mobile version or some apps that provide fb services without ads etc?
Reply Retweet Like
Jane Manchun Wong Aug 30
Replying to @RSrivathsava
Only with Facebook for Android, this one:
Reply Retweet Like
Jeff Aug 31
Have you checked the messenger app?
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @jjwlmsn @RSrivathsava
I checked. Not seeing GLC existing in Messenger for now..
Reply Retweet Like
Jeff Aug 31
"for now" for sure Thanks again for finding this and for replying!
Reply Retweet Like
Sven Andersson Aug 31
Replying to @wongmjane @mansj
In other more important news, what font is that? Looks wonderful!
Reply Retweet Like
Jane Manchun Wong Aug 31
Replying to @andsve @mansj
Iosevka I love this font because it fits more text in my 13" laptop screen
Reply Retweet Like
Sven Andersson Aug 31
Replying to @wongmjane @mansj
Thanks! Yes, was thinking the same! 👏👌
Reply Retweet Like
Joel López Aug 30
Replying to @wongmjane
Does something similar happen for iOS users?
Reply Retweet Like
Jane Manchun Wong Aug 30
Replying to @elJoeLopez @chronic
Reply Retweet Like
Will Strafach Aug 30
Replying to @wongmjane @elJoeLopez
really interesting catch Jane. I have not seen this in the iOS version. my bet is that they want better stability on Android so want to analyze system library variants - and apparently did not even think to ask user permission.
Reply Retweet Like
Random Guy Aug 30
Also iOS's system is not even readable and they don't have access to anything.
Reply Retweet Like
Ethan ArbuckIe Aug 31
on iOS you can in fact read system libraries (by design - it’s how you use them)
Reply Retweet Like
Varun Vyas Aug 31
But you have to ask for the user permission? Or developers can use them without asking.
Reply Retweet Like
Ethan ArbuckIe Aug 31
Replying to @vyasvarun
without asking. It’s a critical part of how apps work. All UI in every app was drawn using system APIs
Reply Retweet Like