Just yesterday, a Twitter user, in a series of tweets, pointed out a hidden Global Library Collector (GLC) in Facebook’s Android App code. According to that user, this GLC allows the mobile app to upload data from the user’s device to the Facebook server.
Now, Facebook hasn’t exactly had a clean past when it comes to data privacy. You all may have heard of the infamous Cambridge Analytica incident that happened last year. Well, it looks like the social media giant has something else up their sleeve as well.
It’s no surprise that the tweet went viral overnight and the general public has, once again, started speaking against the privacy laws of Facebook. The Twitter user that we’re talking about today is @wongmjane and she happens to be a privacy, security and frontend expert. She app securities and backdoors as a hobby and explicitly states that she doesn’t work for Facebook.
Facebook scans system libraries from their Android app user’s phone in the background and uploads them to their server
This is called "Global Library Collector" at Facebook, known as "GLC" in app’s code
It periodically uploads metadata of system libraries to the server pic.twitter.com/olwk1BPMoQ
— Jane Manchun Wong (@wongmjane) August 30, 2019
For those of you who don’t know, the GLC that we talked about earlier, scans the metadata of system libraries from the device the app is installed in and uploads them on the Facebook server. This is all done in the background so it’s not like the user of the device can see it happening. It’s also not like it happens only once. This is done periodically and the metadata on the server is updated in case of any changes in the device files.
@wongmjane, however, discovered that Facebook had already collected the metadata of 2233 system libraries from her phone. Out of these, 1162 were yet to be uploaded and were still pending. This led her to a shocking conclusion that Facebook has the ability to upload all of the system libraries of her phone to their servers via their app. As far as massive file sizes are concerned, the files are compressed using gzip compression.
The funny thing is that Facebook hasn’t given users an option to opt-out or, at least show us which files are being updated. Similarly, Facebook also hasn’t given any explanation on why they use that particular GLC in the first place. This seems to be a typical Facebook move with collecting user data without consent.
However, before you all decide to start a protest Facebook, it’s important to look at the positive possibilities of this scenario. Maybe Facebook uses this data to fix any existing bugs in the app or to optimize it to make it run better. But if this were the case I’m pretty sure Facebook would’ve been transparent about this. The fact that it’s not mentioned anywhere makes it all the more suspicious.
What we can now do is hope that Facebook comes up with a reasonable explanation of using this GLC. There’s a good chance that it might lie and try to cover up it’s spying activities. However, thanks to people like @wongmjane, we can rest assured that it will eventually be caught.