Facebook has dismissed allegations in The Sunday Times that the web giant's Android app can hoover text messages from phones as "creative conspiracy theorising". Flatly denying the claim published by the broadsheet at the weekend, the social network's UK office said its app's ability to access text messages was open and …
Wasn't there another company, oft mentioned in conspiracy theories, that used this self-same excuse after a minor privacy issue?
Just off to Google it to see if I can remember who it was.....
Re: redundant code?
What I find interesting here, is the inconsistency of the media's reporting.
One week it's Android Malware scare stories, they next week, they are pointing out how the permissions based system on Android highlights how some apps have dodgy permissions.
Surely this story should be highlighting the benefits of Google's permissions system over the "Apple will deal with it" iOS system...
Re: reticulating splines
Nope - that's just the default notification tone. Change it or turn it off entirely in the Facebook app settings ("Notification ringtone")
Re: Re: reticulating splines
Strange, the app never did that on mine until the most recent update.
Standard Android problem
Every single app asks for every other permission on the book, and there is no way to remove these permissions selectively.
Re: Standard Android problem
I agree a way to have the app but refuse some permissions would be an improvement but the rest of your comment is not true. Plenty of apps only request the permissions they need and I even have a few that request no permissions at all.
Re: Standard Android problem
Cyanogenmod lets you revoke permissions on a per-app basis. It can lead to unstable apps however.
I always considered the facebook app to be far too permission hungry for my liking, I just go through the mobile web.
Which is exactly the sort of feature that must find its way into the Android core.
Re: Re: Standard Android problem
Mobile web for me too. Unfortunately the FB app is preinstalled on the latest HTC ROM update. I don't use it because of the SMS-reading issue, but there is a process under the FB app called UploadManager, which starts automatically and can't be turned off. I naturally wonder why they want permission to read my messages and what they're uploading to where.
Re: Re: Cyanogen
IIRC, one of the Android engineers specifically stated that this won't happen. It would potentially cause a wave of support requests and of crashing apps being voted down if they made this feature available in stock Android and it was utilised by the less than clueful.
Re: Re: Re: Cyanogen
It's too bad, because if people could block apps from having access that they don't need to do what they advertise, and then the apps crashed and then got downvoted, it might force the developers to build better apps that don't need access to your address book to show the time and date.
Re: Standard Android problem
Get LBE Privacy Guard - it allows you to block access to contacts, call logs, SMS, data, wifi etc selectively by app.
Its also free - problem solved.
Selective removal of permissions
If you're not afraid of rooting your phone, there are two excellent third-party solutions to this problem.
The first one is to install CyanogenMod. Then when you go to Settings --> Apps --> Manage Apps (or wherever you can view an app's details), at the bottom of the screen where the app's permissions are listed, tapping on any permission will toggle it. This is what Google should have added to Android in the first place.
Downside: this requires a factory reset.
A more elegant solution is LBE Privacy Guard, a simple app that requires root privileges but can otherwise be installed just like any other app on top of your existing system. Its permission management is not that fine-grained, but it has one huge advantage over CM - instead of actually giving the app a slap on the wrist when it attempts to use a permission that has been revoked, it'll intercept the API call and feed it false information.
I've used both solutions (separately) for some time and prefer LBE Privacy Guard because it's more elegant: ...
An app that wants to use a revoked privilege on CM will get an "access denied" message. Some apps aren't designed to cope with this and will crash.
An app guarded by LBE PG on the other hand will simply see an empty phone book, an empty message list, a phone serial number consisting of all zeroes, etc. depending on the permissions you've revoked. It's tricked into believing it still has the revoked privilege but there's simply no data worth looting.
In addition to granting and revoking permissions, LBE PG can also be set to ask or alert you each time an app wants to use a certain privilege.
Paris, because she's been rooted countless times.
Can I copyright my face so that I can sue Facebook if I find a single image of myself on it ?
Any other body parts you might need to copyright?
(just in case of course)
Although strictly speaking, I think your parents might be able to support a claim of prior use.
Paris - cos' she'd keep the copyright honchos (aka parasites) busy
Dormant My Ass
If they're not using that code, then they don't need that permission and it should be removed.
If they do introduce a new feature that uses, then change the app permissions so the user is prompted to accept the app permissions again with the text message access hightlighted as new.
Youtube accessing the camera isn't an issue at all, the Youtube can invoke the camera so that you can take videos to post to Youtube.
mmmmm....can't be long before...
....FB automtically starts recording everything on a phone and around a phone when that phone is automatically seen (GPS wise) to have entered a "zone of interest." Somewhere between FB's "dormant code" and Google's "oops...rogue staff member" there's some right dodgy sh*t going down. I'm away to start polishing me tinfoil hat.
If your phone is rooted then you can install something like "LBE Privacy Guard" and selectively enable/disable permissions for apps.
If you're testing something internally then why does the public available app request those permissions? You can do your internal test with a private version of the app installed from an internal server.
I don't use FB but if I did I would have rejected their app on the basis that it doesn't need that permission.
FaceBook with SMSs?
They'd better watch it, some places and providers don't include unlimited SMS as part of their plan. Sure, they're cheap on my contract, but enough of them will add up to a shock. Having just looked at the permissions requested (damn Xperia Mini is full of "social networking" rubbish that I don't want, and a lot of it starts at start-up (until I kill it, that is)), I'm less concerned FB can look at my texts and more concerned it wants the ability to send texts. This, filed rightly, under "Services which can cost you money"...
As for YouTube, the one on my phone doesn't claim a right to access the camera at all. I think it just tasks off the video recording job to the built in recorder - better that way as it would offer a consistent UI.
Not evil just incompetent
So if they're not conspiratorial, they need to learn how to use SCM so they don't need to dump test code in their released app.
Re: Not evil just incompetent
Unless the test is to see if people install the app anyway...
One major reason many Android apps request far more permissions than necessary is that, if permissions change in a future update, the automatic update and "update all" features of Android won't work for that app and the update will need to be installed manually.
If Facebook were to provide a SMS service later on, users would need to go and manually install the new version. To make matters worse the "Update (manual)" message is shown in red as if it was some error. When faced with this many non-geek users will simply not install the update.
By simply requiring all foreseeable permissions from the start the app avoids this. It's bad practice but developers are stuck between a rock and a hard place with this one.
Then they should pressure google to fix whatever design flaw that stops the apps from requesting changed permissions on update.
What they should do is request permissions they don't need at the moment.
Seems like an android weakness tbh.
This is an Android strength. If version 1 has no permissions but can be automatically updated without the user's knowledge to send SMS to premium rate numbers then Android WOULD have a flaw.
Meatvisor, the facebook app did not require this permission from that start. When the permission was introduced, people had to manually update (but some of us uninstalled instead) even though there was "no need" for the permission to be added.
Craigness, the Facebook app has been requesting that permission since version 1.5.4, launched April 2011. That's nearly a year ago.
At the time many got the manual update notice and choose to deinstall the app instead. This just reinforces my point: if companies make such permission changes so visible during updates, many users will either not update or worse - they'll *remove* the app. If a company just puts in all permissions from the start most won't ever notice.
Several phones come with the Facebook app already installed, many with the newer version where the SMS permission was already accepted. These users wouldn't even know the app could access their text messages.
Also can you explain the Youtube app needing access to the camera if not for future proofing?
Android's permissions may sound great in theory but recent news like this show that in practice the mechanism sucks. Sorry you can't see this.
I'm not an expert but I believe that already works.
For instance, I think Google Maps recently added an "NFC" permission - or something else did. As far as I remember, it was conspicuously highlighted. I don't have NFC hardware so I wasn't worried. But Google Maps uses a -lot- of permissions.
I generally don't allow any app to update automatically. If I did, then I assume that an added permission would stop that from happening. But to take that as an argument to install originally with permissions that your app -might- want to use some day is moronic, IMO.
Another option, I think, is to publish your app in different versions, with different permissions fOr each. But I don't know if you can replace one with another. Paid and free (ad-supported) product versions are an example: the "free" ediition needs to go to the Internet to download advertisements to show you, the paid product maybe doesn't require Internet permission.
I got my phone in April 2011 and I installed FB back then. The update for the SMS stuff was much later. They changed the permission and some people decided not to update, which shows that the permissions mechanism is awesome - I was using the old version of the app for ages and didn't have to worry about what FB could do to me! On lesser operating systems you just get what you're given.
Can you explain why the Youtube app has not requested every permission in the book?
Can you explain why developers, believing that people will not install the app if it requests permission to read their SMS, will make version 1.0 of the app request permission to read their SMS even if it doesn't use that permission? Some people decided not to update FB but there may have been others who updated it in spite of the new permission, simply because they had become accustomed to using the app and wanted the new functions. They might never have installed it if it had always required that permission.
Your hypothesis does not support the facts and it makes no sense.
The fact that I wouldn't be surprised if it were true
Says so much about the reputation FarceBork has earned itself than whether or not it's actually true.
Whenever I tried to do something in the FB app the GPS icon came on.
Re: Re: The fact that I wouldn't be surprised if it were true
Google lubz my info's
Re: Re: Re: The fact that I wouldn't be surprised if it were true
Fortunately you didn't remove the Youtube app with its camera permissions so I watched you bating over the latest Android activation figures - it wasn't a pretty sight.
If I look at my selection of "suggested" chat buddies in the bottom right of the facebook screen then most of them are people who have text me at some point recently. I understand if they have inboxed me on facebook, but SMS? Hmm.I was always cautious of this and raised this point with a mate who also doesn't trust it.
Oh, and I don't ever use facebook chat as i'm permanently offline.
I also hate the fact that if I leave GPS switched on but not active, logging into the app fires up my GPS for an obvious location report. I think I'll go the way of others and use the mobile site from now on.
None of the people I've texted in the past month are in my Facebook chat list.
About six months ago I binned my BlackBerry in favour of Android. And I've found that the permissions handling on Android seems to be all about the app's author and not the device's owner.
An example: I used to use a newspaper app on my BlackBerry but not permit the connections it wanted to make in order to display in-line advertisements. I liked that capability but I'm pretty sure the authors didn't.
Why would anyone want an app to write something to an message they are sending?
It must be for advertising purposes so why would someone want to do that?
It could also be like Angry Birds does, to enable network billing:
Oh, well, that's OK then...
... so you want permission to snoop around in my stuff, you're just not actually doing it.
███████ TRUST ███ ██████ US ██████, ALL ███ ███ IS ██████ WELL. ██████ WE'RE ███ ██████ NOT █████████ EVIL. YOUR █████████ FACEBOOK
Use tinfoil for android.
Excellent recommendation, now installed on my phone, can't uninstall the 2 FB apps that came with it though, one is FB and the other is FB for HTC sense, but at least I can force stop them.
Maybe it's time to look into rooting the phone.
Not a bad thing
"The permissions issue is as much one for Google as Facebook: Apple's iOS walls off certain phone functions from third-party apps - including text messages and phone functions. But on Android phones that information is accessible to apps, provided the user agrees on downloading the app."
So in other words: Android allows apps to ask your permission to gain functionality that is impossible on iOS. Why are you trying to paint this as a bad thing? More capability is a GOOD thing, especially when it requires explicit permission from the user.
Just say no
When I switch my 'phone on I get a T&C accept decline for Faecesbook every time. And every time I tap 'no'.
Pity the FB app can't be uninstalled totally. I have absolutely no use for it.
Re: Just say no
What about the Youtube app that records from your camera at any time?
Re: Re: Just say no
There are not two separate camera permissions, one reading "allows the camera to record at any time" and "allows the camera to record when the users tells it to". If you don't trust Youtube you shouldn't trust any camera app for Android, because they all have the same goddamn permission.
Re: Re: Just say no
OF COURSE YouTube records from your camera. How else are you going to create and upload a video from your phone? Trying to paint that particular permission is a sinister light is just plain silly.
What puzzles me
What puzzles me is why anyone would say yes to these types of permissions.
Some of the apps I find interesting on the Google marketplace ask for a bewildering array of permission that have absolutely nothing to do with their core function, web advertising accepted of course.
Re: What puzzles me
In a word, share buttons. "Tell your friends!"
Share via SMS? "Read and send text messages" permission.
Share via Facebook? "Full internet access" permission.
Share via Gmail? Google account permission.
Share via other email? Email account permission.
You might think there's some built-in ShareButton class that lets every app do all these ubiquitous tasks without special permissions. Nope.