| I'm not making a moral judgement (FB is a big yikes), just technical. They'd have to: - build lists of every phone, including carrier variant and internal revisions (pretty common!), to make sure they could be sure they had a complete library - rely on the manufacturer to publicly post the ROM (cheaper mfg wont do this) (or somehow retrieve the URL from the update mechanism, said URL not easily accessible from userspace) - handle the multiple different packaging mechanisms that android phones, especially older versions use (Google has gone a long way in remediating this but FB has to support billions of devices that don't adhere to best practices). - For ROM packages that are encrypted, they'd need to acquire the keys from real devices. - and they still would not have visibility into non-posted firmware, such as factory versions with day 1 upgrades (aka many many devices) OR - grab the files and send 'em |
2. I have doubts that you need copies of all kinds of system libraries to debug that crash. They won't help you debug a crash dump (assuming they don't have debug symbols left in for some reason). They generally won't help you reproduce the crash unless you actually know reproduction steps - it wouldn't surprise me if they tracked every user action, but I doubt they do - so it takes many of those crashes to even start debugging. At that point you probably know precisely which library you need and can obtain it legally.
That said, I agree that uploading the files themselves is not necessary to fingerprint users (the hashes would totally suffice). Unless they do the uploading as a cover-up story, which doesn't make much sense either.