Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If this was being done for fingerprinting, wouldn't it make more sense to use a hash of the libraries?


Taking the hash of the library doesn't help you when a user updates their device, though.


Even ignoring the ethical questions it is a massive waste of bandwidth. They could hash the libraries, and if they get a cache miss, upload that one from one person (or perhaps a few people, since everything is in parallel). They then know what system libraries their users have installed without wasting a ton of bandwidth.

Next step to reduce creepiness is to only upload info on system libraries that actually affect the app (so if some users experience crashes and others don't, they can trace it to differences in system libraries).


And the next step in privacy after that would be to not upload the libraries at all. Actually, that should have been their first step…


How would uploading the library help with that?


It's almost infinitely easier to track a library update if you have the actual libraries on hand to compare, rather than two hashes.


But that presumes a human engineer is going through and looking at the libraries in order to maintain fingerprints. I suppose it's possible that's what Facebook is doing, but it strikes me as a massive waste of time, particularly in comparison to all of the other metrics at their disposal.


There are a lot of techniques to compare binary similarity that don't require human intervention.

Edit: see for instance https://www.usenix.org/conference/usenixsecurity17/technical...


But you could do that on the device too, you don't need to upload the library.

I don't know, you could be right—maybe Facebook really wants their analysis to only run on their own servers. It just seems like a stretch to me.


I feel like running strings on the binaries would do a pretty decent job.


Why wouldn't they just track the model of the phone + the current software version if fingerprinting was the goal? How would this approach give them any more fingerprinting data than that one?


You could do that more easily with file names though. I doubt libraries significantly (if at all) change their file names when they update.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: