Daniel Sinclair @_DanielSinclair Building for young people. Not reading @danielsunread. Lurking behind likes and thinking about social media, communication, & China. Aug. 30, 2019 1 min read

Really interesting discovery. Compatibility in the Android ecosystem is a nightmare that requires you to build a standard library vacuumn.

There are a few reasons you may want to do this, but I think the most likely is for crash reporting & stability/compatibility testing. This allows Facebook to sweep the broad Android ecosystem to find edge cases. Interesting tool; I personally am not familiar w/ others like it.

Depending on when this appeared, it may also be a supporting component to maintaining the integrity of Facebook's end-to-end encryption platform that will roll-out with the centralization. We may be looking at the frontend of an impressive malware & vulnerability sweeper.

If we remember back to the flatmap-stream trojan horse, an attacker compromised a deep NPM dependency that became embedded across the ecosystem, & specifically targeted Copay's infrastructure to hijack Bitcoin wallets. It made it all the way into RN on iOS  https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident 

This could support many different missions at Facebook. I don't view it as something harmful; the flaws here are truly Androids, & Facebook is working w/ the tools. We may be looking at an effort by Facebook to protect the integrity of Libra & the E2E platform. I like what I see.

Android also just faced a massive attack through yet another trojan buried in an advertising library used by a very popular app, CamScanner. We don't see many attacks at the system library level, but we will when crypto is mainstream w/ a huge incentive.  https://securelist.com/dropper-in-google-play/92496/ 


You can follow @_DanielSinclair.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.