Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why this was implemented in native code - Android seems to have an `android.net.rtp` package?

Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?



Also, what exploitation mitigations are broken on Android/iOS such that a buffer overflow is reliably exploitable? Are their implementations of ASLR useless? Is it trivially bypassed? Is mandatory code-signing not enabled/enforced?


All very good questions, hopefully we can get some more information as time progresses (maybe a PoC, or at least a technical write-up on the specifics)


Is Android.net.rtp available on every support Android and Google Library version combination that WhatsApp natively supports?


AIUI, no. That package was added in Honeycomb (API level 12), whereas WhatsApp currently supports Gingerbread (API level 10).

However, two API levels of compat. seems like a good trade to me in order to avoid an RCE.


How many millions of users would be excluded if they chose that path, and are their controlling shareholders okay with that reduction of active users?


I suspect we'll never know for sure, but we can guess. ~73% of users apparently use Android to access WhatsApp [1]. As of the start of 2018, WhatsApp had 1.3 billion monthly users [2].

Less than 0.3% of Android users globally use an incompatible API level. If we assume this applies equally to the WhatsApp userbase (and old-Android users are represented with the same proportion in the active monthly users figure) and use 0.3%, we have 2.8 million potentially impacted users. At the current rate of about 1M new users per day, it'd take two or three days for this small slice of the userbase to be replaced.

It would've been losing 0.0219% of their userbase to avoid an RCE that impacted 100%. Now, how much revenue did those users bring in? And how much has this announcement damaged facebook's share price?

[1] https://venturebeat.com/2015/08/27/three-quarters-of-whatsap...

[2] https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-...


I agree with your point, given that data.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: