Daniel Sinclair+ Your Authors @_DanielSinclair Building for young people. Not reading @danielsunread. Lurking behind likes and thinking about social media, communication, & China Aug. 30, 2019 1 min read + Your Authors

Really interesting discovery. Compatibility in the Android ecosystem is a nightmare that requires you to build a standard library vacuumn.

There are a few reasons you may want to do this, but I think the most likely is for crash reporting & stability/compatibility testing. This allows Facebook to sweep the broad Android ecosystem to find edge cases. Interesting tool; I personally am not familiar w/ others like it.

Depending on when this appeared, it may also be a supporting component to maintaining the integrity of Facebook's end-to-end encryption platform that will roll-out with the centralization. We may be looking at the frontend of an impressive malware & vulnerability sweeper.

If we remember back to the flatmap-stream trojan horse, an attacker compromised a deep NPM dependency that became embedded across the ecosystem, & specifically targeted Copay's infrastructure to hijack Bitcoin wallets. It made it all the way into RN on iOS  https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident 

This could support many different missions at Facebook. I don't view it as something harmful; the flaws here are truly Androids, & Facebook is working w/ the tools. We may be looking at an effort by Facebook to protect the integrity of Libra & the E2E platform. I like what I see.

Android also just faced a massive attack through yet another trojan buried in an advertising library used by a very popular app, CamScanner. We don't see many attacks at the system library level, but we will when crypto is mainstream w/ a huge incentive.  https://securelist.com/dropper-in-google-play/92496/ 

You can follow @_DanielSinclair.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader