Feeds

back to article Facebook app now reads your smartphone's text messages? THE TRUTH

Facebook's updated Android app can read text messages on the user's smartphone. The tweaked software now demands access to SMS and MMS messages, and the change was spotted yesterday by blogger Tony Calileo. "This is just one of a bunch of new permissions the app is requesting for this update, but it's probably the most alarming …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Noticed the new permissions already...

Every couple of days my phone tells me theres an updated Facebook app to install..

Every couple of days I say no thanks.

14
2
Anonymous Coward

Inch by Inch

I'm sorry, but I just don't have the trust in Facebook that many others seem to have. What they say today is not always what they do tomorrow.

While plausible I still believe it opens the door to other intents, little by little they reel you in......

13
0
Silver badge

Re: Noticed the new permissions already...

When I saw the permissions it was asking for (IIRC some time in December), I quickly unistalled this horrible piece of bloatware and disabled the pre-installed app on my phone. My thinking at the time was along the lines of, "Fuck you FaceBook, go and push your spamvertising at someone else."

3
0
Big Brother

Lazy people to blame, as usual

If you're aware of it, most clueful SMS apps in Android will present a toaster notification when you get a new message so you can read a 2FA verification code and tap it in with very little inconvenience. (ChompSMS does this quite nicely and has options to adjust on-screen display for what remnants we have left of our privacy.)

Frustratingly though, as usual, we all have to blindly accept a blanket read permission simply because people can't be arsed to go into their text messages to get a six digit code. What's the point of two factor if you're allowing an app unsupervised access?

This is also an excellent highlight of Android's frankly shit permissions model. I'd dearly love to be able to selectively deny permissions to an app to invoke certain functions or system calls (optionally reenabling it later) but nope - vaguely descriptive catch-all categories are all we get.

The more clueful devs are beginning to list reasons for why their apps request permissions, this should be a mandatory requirement for every app, viewable by all potential punters and completely granular. Apps should also not crash out if part of a call is denied access (they should trap it and just return a null, perhaps with viewable message explaining what's not working) but this would need to be baked into the AOSP core. And can you imagine the software community rewrite carnage...

At least our security model is moderately translucent, unlike Big A's black box (which GCHQ are gleefully busy exploiting)...

29
2
Silver badge

Re: Lazy people to blame, as usual

What this really needs is a service dealing with 2 factor authentication that has its own permission. That way an app does not need fuill SMS permissions to do the 2 factor authentication.

10
0

Re: Lazy people to blame, as usual

I partly agree but it's not only because of lazy people. Not everyone is very good with technology, that said I'm sure some people are unable to easily confirm their account using a code in a SMS. Facebook doing it automatically for them is very welcome.

2
2

Re: Lazy people to blame, as usual

I can see a future where Android provides a nice and sealed off two factor auth method... provided you credential with a Google account - or share your other account details with them! </cynic>

5
0

Re: Lazy people to blame, as usual

I'm all in favour of more secure accounts. I just find it hard to believe that they'll be competent enough to activate or even understand how two factor works if they still struggle to read SMSes ;-)

5
1

Re: Lazy people to blame, as usual

"I'd dearly love to be able to selectively deny permissions to an app to invoke certain functions or system calls (optionally reenabling it later)"

Apps like LBE privacy guard allow you to do that.

Totally agree that Android's out of the box take it or leave it approach is a little more transparent but ultimately does bugger all to protect your privacy

7
0
Silver badge

Re: Lazy people to blame, as usual

Totally agree that Android's out of the box take it or leave it approach is a little more transparent but ultimately does bugger all to protect your privacy

Remember that it wasn't Google's idea to do it this way. Their original permissions model was at the insistence of the app developers who wouldn't jump from the Apple store unless they had more control over permissions.

Given that environment, there's no turning back with regards to the structure, but we can certainly augment the structure to make it more useful. As noted, perhaps the permissions can be divided into more sub-permissions. Also, I think most would appreciate each permission having a written justification provided by the developer.

7
0
Anonymous Coward

Re: Lazy people to blame, as usual

LBE Privacy guard does not work on Android versions 4.3 and up. Android hinted at possibly later providing native support for privacy-related permissions with the 4.3 release, however as it was still in beta, you needed a third party app to interface with it (see App Ops Starter). It wasn't as functional as LBE, but at least it gave you some basic level of control.

Then, for no apparent reason, they removed the functionality completely in version 4.4.2. Now, there is nothing to manage permissions. Nice one Google. You're on the fast track to becoming the Apple of the 2010s.

3
1
Silver badge

Re: "permissions model was at the insistence of the app developers"

Really? Ugh.

Maybe Android should be changed so that, if you enable Developer mode, you get fine control over permissions - that way, those who give a monkey's can get it done, and those who don't care don't have to worry about it?

0
0
Anonymous Coward

Re: Lazy people to blame, as usual

Is it 6 digits? What's wrong with using alphanumerics? Even if you strip out the one that could be misread (like lowercase L) you still end up with more variance in 4 positions than 6 numerics would give you.

Sigh.

0
0
Silver badge

Re: Permissions control

I use Comodo Security to control the app permissions: https://play.google.com/store/apps/details?id=com.comodo.pimsecure. From the notifications it gives, there are a lot of apps busy in the background!

0
0
Silver badge

Re: Permissions control

And I wouldn't trust COMODO if they paid me.

2
0
Silver badge

Re: Lazy people to blame, as usual

At least our security model is moderately translucent, unlike Big A's black box

I'd call Android's security model translucent. It's confusing, but if you actually do understand it you know what it's doing. That's not to say it doesn't have problems. Only a fool or a fandroid would call it perfect.

0
0

Re: Lazy people to blame, as usual

Yep. Google Authenticator was built just for cases like this. Several services on my phone use it, and no need for SMS.

0
0
Bronze badge

Glad I abandoned Android and Facebook for Android. I didn't add my phone number to my FB account and don't require two step authentication. These blokes can't be trusted with personal info.

3
0
Silver badge

"These blokes can't be trusted with personal info."

Facebook, Google or both?

1
0
Bronze badge

Please Google let us selectively deny tokens that an app requests.

The app developer should have the ability to state whether a given token is mandatory or optional and a few lines to describe why they want it.

As for optional tokens, there are two ways this can be easily handled. The app developer could either receive a runtime exception when they make a call to a method where the token was denied or they could elect to receive fake data for things like contact lists, GPS coordinates or SMS messages. Then even lazy developers could mark most tokens optional without needing to make code changes.

3
0
Bronze badge
Boffin

>Please Google let us selectively deny tokens that an app requests.

What, like, say BB10 ? On the wrong platform, mate !

1
0

BB10 here too, never had an Android phone, and I was dismayed to read how Android app permissions work!

And then some of these people laugh at my choice of phone...

0
0

So apps want to do two factor authentication by themselves without the actual human user in the loop and they see far too many passwords. Then a rogue App logs into your Internet banking, request a TAC for a 3rd party transfer and starts to empty your account

7
0
Silver badge
Facepalm

You're good.

It only took .5sec for me to make that deduction.

0
2
Bronze badge

Re: rogue App

From 1995, a Dilbert cartoon:

http://dilbert.com/strips/comic/1995-12-29/

2
0
Bronze badge

Yet another reason to suspect MZ is on the NSA/CIA payroll?

Yet another reason to also SLAM google for not creating any sort of content vault system.

BY DEFAULT, google, damn you, every piece of information on a user's devices should be subject to granular access controls/permissions.

-- Kakao, talk, line, whatever apps are there in the store or other sources should not have cart blanche access to contact lists!!!! Create in the contact list a check box to deprive access by/reads by apps listed on the install list or at the users' whims.

-- apps that access or attempt to access contacts, logs, text, memos, art, jpgs, whatever, should be logged and reported to google, AUTOMATICALLY, so that in real-time, google can push down code to users' devices to thwart in a heuristic manner any subversive, invasive, or other surgical attacks on our devices

If google cannot participate in this kind of discussion and facilitate better protection, first-party, then why do we put up with shit shitty state of affairs. How can be bludgeon or chest-punch google into getting off the sidelines?

I'm surprise the ACLU and EFF do not seem to be weighing in on this issue on a regular basis.

2
0
Happy

One does not have to be on Zuck-book

I just aren't. There, solved.

6
1

Re: One does not have to be on Zuck-book

I'm not there either. I still have a Facebook app pre-loaded on my phone, which I can't uninstall. Now it repeatedly asks for updates, which I repeatedly refuse. The nagging is annoying.

5
0
Bronze badge

Re: One does not have to be on Zuck-book

Why haven't you your rooted your Phone yet? Once you root it, you just use something like Root Explorer, and go to /system/Apps and delete any offending "App" you dislike from there...

3
0
Silver badge

Re: One does not have to be on Zuck-book

You may not be able to uninstall it, but you can probably disable it (assuming it's an Android phone)

1
0
Bronze badge

Re: One does not have to be on Zuck-book, Say WHAT?!

Just yesterday, on my Android-based phone, I saw "update facebook", but i ignored the shit. Due to another app not refreshing, I decided to reboot my phone, which works for that given app when the screen stays black and it takes 10 seconds for a long press on the home button to exit the app or present me a task list.

I task-kill the app, root around (myself, no root capabilities) looking in vain to kill anything else, and then shut off the antenna, turn on airplane mode, and then...

After I rebooted, mysteriously (or, why should I have been surprised), no more nag/listing "update facebook".

I have for YEARS suspected that fuckking android and/or some other apps in the phone bypass the antenna setting, leave the icon dimmed, and call home.

After this reeboot, I saw somethinakin to "binary installed". WHAT THE FUCK!!! The antenna was OFF, or so I commanded.

And, at SFPL, where various versions of Android would die or lock up, when connected to the lib's wifi... But, falling back to an older version was OK? That was around early-to-mid 2013, and seems to have stabilized. But, personally, given SF's leftness, and SFPLs steadfast anti-surveillance compliance, and refusal to hand over patron borrowing history, I strongly suspect the library's payroll involuntarily has IT staff who work for another entity. Wifi, for free, in a major library, in a left-town that acts like a nation-state? Not being surveilled? Yeh, right. Maybe the potentially-present sniffing gear had issues with my tablet being the Korea-locale variety? I dunno. My older, android phone was seemingly ok, but not my recent, 2012 Tab.

Anyway, only with some proper RF gear might I determine whether my phone blurps/beeps/sends or takes in any code.

Hell, I insinuated that zuckerberg may be on the nat-sec payroll. I suspect google is and has been all along, and possibly even apple. After all, if Apple's warez needed FEWER nat-sec letters to monitor, then it's possible either Apple was cored or just gave up the stuff. All the foot dragging is just for show, for public consumption.

I guess one way to find out if our phones talk surreptitiously is to plant vile stuff on them and wait to be contacted. Just plant vile shit on them, but never, directly log on to anything, never surf, never, allow it to turn on the antenna, not by one's own hand. Then, justt wait for it to violate the users' commands and then get "discovered".

Oh, wait, that's my outraged mind speaking. I prefer to not be cuffed, and don't recommend embarking on a cuf-worthy path. But, goddammit, it is the GOVERNMENTS' jobs to do their OWN fucking dirty work, not drag companies into it and facilitate wholesale slurping, or take things to the point that our devices by default LIE to us and by default report on or pass up the line any and every thing they see or are fed.

Sigh...

Back to Spooks (er, umm, MI-5, since the USA's history clashes with the term "spooks" being used in a broadcast program.... Sigh ) a quite brilliant, even if entertaining, show.

0
0
Bronze badge

iOS?

"We saw a similar cycle last year over iOS read/write permissions"

I can't find any more information on this. What's the app privacy situation on iOS?

0
0
Gold badge

Re: iOS?

iOS stuff asks for permissions as you use the feature. At least the stuff I've installed. And then there are permission lists scattered around the rather disorganised settings menu, where you can grant or remove permission for each app individually. It's then up to the dev what they want their app to do.

Some simply stop, say they need the permission activated and don't do anything else. So you have to go back to settings and enable - weirdly this doesn't seem to happen via the app.

I've just looked, and actually there's a privacy menu now, which covers most of it. Although I notice that in giving Google maps permisison to use location services (for satnav) it also gave itself a 'background app' permission I wasn't previously aware of. Hidden in another bit of the settings menu. So that it could access location services even when the app wasn't turned on. So I guess I've been updating Google on lots of stuff to help their mapping for the last couple of months since I used G maps for sat-nav. Cheeky fuckers. Or data-thieves, as they really are.

Anyway, Apple is a bit of a mess, but mostly pretty good.

1
0
Gold badge

Re: iOS?

PS:

I decided to have a look. Surprisingly enough Google Maps also asked for permission to use the microphone. Denied. Nothing has asked for Bluetooth or phots. Only Gmail wanted contacts, also denied.

Location Services seems to be the biggie, that every app seems to want. I assume it's partly because of advertising. Here Apple are quite good, as even Apple's own apps have to ask for permission to use this. So I've allowed Apple maps, but not the camera or Safari, for example.

Apple also have an advertising bit in the privacy settings. You can limit ad tracking (whatever that does) and manually re-set your advertising tracking ID.

0
0
Silver badge

Re: iOS?

". Surprisingly enough Google Maps also asked for permission to use the microphone."

Not so surprised by that - Google Maps can do speech based searches on Android so I'd expect the iOS version to offer it too.

1
0
Bronze badge

Re: iOS?

I've had non-smart phones from 2005 that had the correct method of permissions, and that was in java (mobile version)!

I guess someone got greedy along the way?

0
0
Silver badge

Re: iOS?

I guess someone got greedy along the way?

Yes, the developers. They wanted control as a prerequisite to developing the app at all. So it was basically "my way or the highway".

0
0
Thumb Up

Re: iOS?

That reminds me a lot of how Symbian managed permissions.

The first time the app tried to do something requiring a specific capability, I'd get a pop-up describing the permission, typically very specific, it requires and the option to select "Never", "Once" or "Always". Plain and simple. Many apps work fine without mobile or Wi-fi network access. As a bonus developers get to write one app and gracefully degrade for parts that customers won't authorise. The Android model seems to favour monolithic apps and avoid cooperating applets/services. Maybe because of the limited tasking.

*sigh* How things have improved :(

0
0
Silver badge

Why not just use the mobile version of the site?

0
0
Silver badge

I think facebook design their mobile site

to encourage users onto the app - it's hideous.

0
0
Gold badge
Happy

Re: I think facebook design their mobile site

Lamont Cranston,

You say that as if the non-mobile version of Facebook is any less hideous.

As always I default to my standard belief in incompetence over conspiracy (or plan) every time...

1
0

I did complain to one app author successfully.

They had permissions creep and wanted access to the microphone on an IR Remote Control app (to let you make voice commands to trigger the remote functions).

After having words with them, they now do two versions, a basic and one with all the extra functions.

I doubt that Facebook and Twitter (which also wants access to your SMS) will release a less intrusive app. And as a result, I am not updating them.

If anyone knows a good and trustworthy apps that will access Facebook and Twitter without all the extra intrusive permissions, please let me know.

I might even write my own.

2
0

I got pissed off with the Android app, so I de-installed it and now just use the web interface. That does what I need - I'm not sure why one needs the app itself.

5
0
Anonymous Coward

Hmmmm....

"I got pissed off with the Android app, so I de-installed it and now just use the web interface. That does what I need - I'm not sure why one needs the app itself."

And you think the web browser doesn't have all the permissions the app wanted anyway !!!!

0
0
Anonymous Coward

Re: Hmmmm....

The browser has less permissions. Especially Firefox.

Rather than install 100 different apps, I try to use the browser where possible.

0
0
Bronze badge

Permissions creep

Too many apps seem to require lots of irrelevant permissions. Often arriving with updates ( so clearly they didn't need this in the previous version).

My favourite ( moaned about elsewhere) is the blanket access to phone call details. Most of the recent trivial apps seem to need to know who I've been phoning.( So I only use these on a phoneless tablet, if at all).

3
0
Silver badge

Re: Permissions creep

Indeed.

Given that this is android, you could get google to auto-file facebook SMS in a particular folder and then allow access to just that IMAP folder.

But that would defeat the purpose.

BTW how do you stop FB accessing all your two-factor SMS' messages?

0
0

Re: Permissions creep

The blanket access to phone call details is especially common for games because when an app suddenly loses focus it needs to know how to handle it. If you receive a call midway through a game for example the apps sounds needs muting, the processing paused, etc. You need to be able to read the phones call state to do that and it is all bundled into one permission.

1
0
Silver badge

Re: Permissions creep

Sounds like poorly thought out design.

0
0
Silver badge
Pint

Re: Permissions creep

Oh, and thanks for the explanation.

0
0

Page:

This topic is closed for new posts.