CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why this was implemented in native code - Android seems to have an `android.net.rtp` package?
Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?
Also, what exploitation mitigations are broken on Android/iOS such that a buffer overflow is reliably exploitable? Are their implementations of ASLR useless? Is it trivially bypassed? Is mandatory code-signing not enabled/enforced?
All very good questions, hopefully we can get some more information as time progresses (maybe a PoC, or at least a technical write-up on the specifics)
I suspect we'll never know for sure, but we can guess. ~73% of users apparently use Android to access WhatsApp [1]. As of the start of 2018, WhatsApp had 1.3 billion monthly users [2].
Less than 0.3% of Android users globally use an incompatible API level. If we assume this applies equally to the WhatsApp userbase (and old-Android users are represented with the same proportion in the active monthly users figure) and use 0.3%, we have 2.8 million potentially impacted users. At the current rate of about 1M new users per day, it'd take two or three days for this small slice of the userbase to be replaced.
It would've been losing 0.0219% of their userbase to avoid an RCE that impacted 100%. Now, how much revenue did those users bring in? And how much has this announcement damaged facebook's share price?
Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?