Apps using DCL after reboot

[deleted]

Hi. I have recently disabled DCL permissions globally. Today, instantly after a reboot I see notifications about apps trying to use DCL via storage and memory. I found some interesting information in Context Reverso logs that tried to use DCL via memory, there's an exception stack trace:

package: com.softissimo.reverso.context:12000025

DCL denial type: InMemoryDexFile
process: com.softissimo.reverso.context
thread: Thread-3

java.lang.SecurityException
	at android.ext.dcl.DynCodeLoading.checkInMemoryDexFileOpen(DynCodeLoading.java:82)
	at dalvik.system.DexFile.openInMemoryDexFilesNative(Native Method)
	at dalvik.system.DexFile.openInMemoryDexFiles(DexFile.java:428)
	at dalvik.system.DexFile.<init>(DexFile.java:136)
	at dalvik.system.DexPathList.initByteBufferDexPath(DexPathList.java:264)
	at dalvik.system.BaseDexClassLoader.<init>(BaseDexClassLoader.java:226)
	at dalvik.system.InMemoryDexClassLoader.<init>(InMemoryDexClassLoader.java:40)
	at dalvik.system.InMemoryDexClassLoader.<init>(InMemoryDexClassLoader.java:52)
	at dalvik.system.InMemoryDexClassLoader.<init>(InMemoryDexClassLoader.java:63)
	at z7.d(SourceFile:1)
	at com.facebook.ads.internal.dynamicloading.DynamicLoaderFactory.createInMemoryClassLoader(SourceFile:88)
	at com.facebook.ads.internal.dynamicloading.DynamicLoaderFactory.makeAdsSdkClassLoader(SourceFile:7)
	at com.facebook.ads.internal.dynamicloading.DynamicLoaderFactory.doMakeLoader(SourceFile:35)
	at com.facebook.ads.internal.dynamicloading.DynamicLoaderFactory.access$000(SourceFile:1)
	at com.facebook.ads.internal.dynamicloading.DynamicLoaderFactory$1.run(SourceFile:18)
	at java.lang.Thread.run(Thread.java:1012)

I have several questions.

I see facebooks ads in the stack trace. Does it try to inject some kind of trackers into memory when the system starts? Is it even a thing?
Why do apps use these features at all before I run them?
How harmful are these permissions? I need to use some apps that can only be installed using standalone .apk files. I mostly trust the providers of these apps, but just a little concerned because one of them tries to use DCL after a reboot (no useful logs though). Like, if somehow these apps have some malicious code, will it be a problem in GOS if they have DCL allowed?

other8026

[deleted] I see facebooks ads in the stack trace. Does it try to inject some kind of trackers into memory when the system starts? Is it even a thing?

Apps can't do that. I'd assume this Reverso (?) app uses some Facebook ads library.

[deleted] Why do apps use these features at all before I run them?

Good question. I'd direct the question to the app developers.

[deleted] How harmful are these permissions?

This is a hard question to answer. The feature helps harden against exploits and can break malicious apps that rely on DCL. If you trust the app authors and they verify the integrity of the code they're loading, then it's probably fine.

Additionally, the setting screen explains this a bit as well:

DCL makes the app mroe vulnerable to exploitation, since the dynamically loaded code can be tampered with or subsituted.

You can also learn some more reading through this issue where a couple of GrapheneOS developers explained the feature a little more: https://github.com/simplex-chat/simplex-chat/issues/4810

[deleted]

other8026 Thanks for the information!

I have a couple of additional questions.

Just for clarification, this code ran by the apps at startup can't track me or spy on me in any way? Let's assume it's not malicious code, but the apps don't respect privacy and try to get all the information they can. I think they don't target Graphene, just the users of stock Android.
I also thought this code could be just to send notifications before I run the apps. Can it work like that?
I also have an option to run web versions of these apps using Chrome (Vanadium is used for private surfing) and save them as 'apps'. But Chrome also requires DCL via memory. Can these web apps inherit this permission from Chrome?