It's almost infinitely easier to track a library update if you have the actual libraries on hand to compare, rather than two hashes.

But that presumes a human engineer is going through and looking at the libraries in order to maintain fingerprints. I suppose it's possible that's what Facebook is doing, but it strikes me as a massive waste of time, particularly in comparison to all of the other metrics at their disposal.

There are a lot of techniques to compare binary similarity that don't require human intervention.

Edit: see for instance https://www.usenix.org/conference/usenixsecurity17/technical...

But you could do that on the device too, you don't need to upload the library.

I don't know, you could be right—maybe Facebook really wants their analysis to only run on their own servers. It just seems like a stretch to me.

I feel like running strings on the binaries would do a pretty decent job.

Why wouldn't they just track the model of the phone + the current software version if fingerprinting was the goal? How would this approach give them any more fingerprinting data than that one?

You could do that more easily with file names though. I doubt libraries significantly (if at all) change their file names when they update.