Oh Sorreee! Sorree!
It must be a bug we take our l/users data very seriously and w...............
Of course it could just be a bug.
Social networking giant and market-leading data broker Facebook is once again taking heat for playing fast and loose with its access to personal information. This time, it's the Facebook Android app that is under the spotlight after folks noticed it requesting an extraordinary amount of access privileges – specifically, …
The Facebook mobile app should be classed as "malware" and removed from all app stores immediately.
Two reaons spring to mind as to why it was written the way it was.
1) The android securtity model is shite, it's not granular enough. You want access to the photo library, you need to grant the app with access to the phone records ( or some such bollocks! ). The Android secuirty model during development needs to be far more granular. When I need access to the network system, it should be portitoned out to only sub components I need and nothing else. When my app requests access to the photos, it gets access to the default photo app and the default photo directory and nothing else, not the phone records, SMS, logs from all other apps and Lord knows what else.
2) Facebook simply wrote the app o include all privs and hoped users were to busy or stupid to realise what they were agreeing to!
( Sadly I already know which is the most likely. )
I remember someone downloading the FB app a year or so ago and being shocked at the huge list of secuirty categories the app asks for. Why the fsck does a social media app need access to your phone records?! We all know the reason but FB is firghteningly insidious and vile invention, the worst bit is it's nothing to do with being social. The "social media" part is simply a by-product of one of the biggest advertising, captive audience systems in the history of humanity.
The android securtity model is shite, it's not granular enough. You want access to the photo library, you need to grant the app with access to the phone records ( or some such bollocks! ). The Android secuirty model during development needs to be far more granular. When I need access to the network system, it should be portitoned out to only sub components I need and nothing else. When my app requests access to the photos, it gets access to the default photo app and the default photo directory and nothing else, not the phone records, SMS, logs from all other apps and Lord knows what else.
Complete nonsense. Every single example you've given is a separate permission in Android. Call logs are separate from calling permissions are separate from media storage are separate from SMS logs are separate from SMS sending permissions. In older versions you had to accept all the permissions an app requested in order to install it but the last few major versions have included the option to selectively bar each app from each permission category.
Not that I'm defending Facebook, or suggesting their app isn't malware, but you need to get your facts straight before you start pontificating about how to fix things. The issue here is that Facebook made yet another monolithic grab for data and turned out the usual shit apology when they got caught.
I dunno, its not complete nonsense (apart from OP's examples). A better example would be Whatsapp. If I want to share media I've taken with people through Whatsapp, then I must grant Whatsapp the "Storage" permission. This doesn't give Whatsapp permission to read my media, and write received media to a particular folder, it gives it permission to create, read, update and destroy any user file in any location.
Effectively, if you want to be able to share media, you also have to open all your data to the app in question and trust that it won't look in other places.
"Effectively, if you want to be able to share media, you also have to open all your data to the app in question and trust that it won't look in other places."
Check phone. Access to Storage off.
Opens gallery, and there are the photos.
Hint: Deny all on installation and then allow what you want when it requests it.
I fail to understand why it even needs an app - it's just a view into the web pages. The only thing FB won't let work in the mobile web page is messenger, which is no great loss to me, but equally I bet could still be done in a mobile web page. The only reason for the app is to slurp your data, so I didn't bother installing it.
FB can not only read your whitelists and blacklist but also change them. This has the wonderful advantage for FB that they can whitelist any site which says how wonderful they are and blacklist sites such the old faithful ElReg who sometimes point out small failings of FB (which are of course total lies in the eyes of
FZ***erberg). Of course since the users have willingly granted this access without reading the Ts&Cs, FB is only giving the users what they want.
Easier said than done after they recently changed Facebook mobile browser access to disallow messaging. Also it will nag the hell out of you all the time "why haven't you installed the app", "this would work much better if you installed the app", etc, ad nauseam.
.....'May not have been intentional.'....
So with everything we now know... Up to 2 Billion slurped, of which 87m are guaranteed. Plus, Zuk lying to congress for 10 hours straight and denying Shadow Profiles, or Offline-Tracking of Users / Non-Users. Surely this is an intentional landgrab... Last 'big-slurp' before GDPR / looming US regulation?
Just wondering how the forced acceptance of apps data slurping is going to stand up to GDPR.
Noticeable all the leading contenders are forcing you to accept their terms, or else.
I thought consent to give away your data had to be 'freely given' and not coerced (and what about all your contacts data that gets slurped too?)
Looking forward to some interesting case law....
AFAIK, GDPR explicitly forbids service in return for personal data, unless that personal data is necessary for providing the service.
So saying "If you want us to send you a some crappy copy/paste on what the name of your firstborn child allegedly means, please enter their name and your email below" is OK, whereas "In order to send cat videos to your mates, please enter the name of your firstborn child and your email below" is not ok.
GDPR also says that data must only be used for the purpose(s) for which consent has specifically been given, and must be destroyed when it is no longer needed for that purpose. So once you've sent your email saying 'The name 'Fartboy' has its origins in Middle-eastern heraldic runes dating from 1297' etc, you are required to destroy your copy of the data. burying some text in the privacy agreement saying you reserve the right to keep it forever and/or mail it to relevant marketing companies who will send you spam is absolutely NOT ok.
Additionally: you have the right to request what data a company has on you, who they've given it to, and exactly what they will be using it for. If you don't like it, you can demand it's deletion/destruction, and the company you gave it to is required to (a) do it within 1 month, and (b) make sure anybody else they've given it to also destroys it within 1 month.
GDPR is A GOOD THING. More than a few parasitic marketing companies will be sh*tting themselves roundabout now.
What data? Data from their own app sandboxes? Like how often you play the particular app and how many IAP you made?
Let's be clear here, it's not sending data from your phone, Android security model clearly prevents this, the only data of could send is data from within the apps own sandbox.
If you rooted your phone, you obviously have to regard for privacy or security, as clearly rooting a phone opens up a whole world of hurt, and breaks trust chain (do you trust whatever exploit you used to root to not have delivered bonus features?)
Granting farmville game access to your contacts and then wondering why Facebook has your contacts, that's a pretty dumb thing to do, and perhaps modern technology isn't for you, if you don't understand basic questions and their consequences.
Let's not forget iOS never has proper sandboxes, and for years apps were slurping contact data without needing to grant ANY permission whatsoever...
Additionally, there are major problems due to the retarded use of FAT for external sdcard access (they are attempting to tighten it down with emulated filesystem layers hacks these days) [presumably so you can shove your card straight into your pc - despite MTP (https://en.wikipedia.org/wiki/Media_Transfer_Protocol being available ]
An app may legitimately ask for "media/sd/external storage access" to store large amount of details, but granting it gives full access (read write) to the whole card, as there are no file-ownership attributes - that includes all apps that may use it for storage and code - all your videos, pics, etc.etc. -- everything).
Some of the other permissions are actually quite lax too (like facebook, appeasing the developer not protecting the consumer, and assuming developers will play nice)
The android sandbox is rather leaky. Even with *no additional privileges* it is allowed network access, and general "world" rights on the Linux sub-system.
For instance, you can be uniquely tracked (Mac address), located (wifi-location services via arp lookup of AP mac address), sites you connect to (netstat), os version/patch level/hardware info (uname, etc,) - and all sorts of other stuff.
Imagine if you were running linux on your home desktop - what could an application do with a 'guest login' shell, and the ability to phone home? - there's the problem - that's what an android app has.
Before Android 6.0 you needed a permission, since then, it's no longer available...
Congratulations, you get my fail of the week.
Hey Mr anon. A quick tip:
People often make mistakes - we are after all, human.
However, if you are going to call somones post out as "utter nonsense" or accuse them of being your "fail of the week", you better be bloody sure you are correct.
So, in the spirit of your condescending reply, I respond:
My post is true, not nonsense.
Unlike you, "anon", my post was based on personal investigation, not on "what someone else says".
Unlike you, "anon", if I'm going to dispute what someone says, I'm not arrogant enough that I don't check my facts first.
Try it yourself:
Create an app, with NO PRIVILEGES - then read the text file /proc/net/arp
To help you out, I just modified an apk for you to test it yourself: http://www.jamielandegjones.com/android/get-mac-without-privs.apk
Now, normally you wouldn't sideload an unknown app from "random internet poster", right? But, as you are so confident of the android security model, you'll have no problem installing this - it clearly requests no privileges.
Fire it up. It's a terminal emulator, installed with zero permissions.
This works up to android 5 at least, and I suspect it works on 6 and maybe even 7 - access to proc was restricted in 7 or maybe 8, but I haven't had a chance to test it to see how thorough the restriction is.
Whilst here, use that app to have a good old nose around, install some homemade c executables to test ioctl and other calls.
You'll be surprised at what you see.
So, in summary, the utter nonsense is your reply. How's that "fail of the week" going now?
I forgot to mention: Whilst "cat /proc/net/arp" will give you the mac of the router, to find your own mac, again, WITHOUT any special privileges, open a socket to AF_NETLINK, or from the command line:
If that doesn't exist, download a "busybox" binary, and type "busybox iplink"
So there you have it: MACs of both the router and your own device. - without permissions - at least as far as Lollipop.
As I said, look at android from a Linux point of view, rather than from an android point of view - you'll be surprised.
"What data? Data from their own app sandboxes? Like how often you play the particular app and how many IAP you made?"
IAP? Do you mean in-app purchases? That would be an understandable data exchange, for obvious reasons, but I never engage in in-app purchases.
Aside from that, yes -- app-related data, as well as whatever personal data the app requires access to (address book, etc.). Unless the data is required in order to perform the function the app is designed to perform, no app should be sending any data from my devices.
"Rather put a crimp in our BYOD strategy"
There is no way that I would ever allow my personal device to take part in the BYOD schemes I've seen -- they all require the installation of software that is far too invasive.
So, if I need a smartphone for work, I just ask my employer to supply one, and I only use it for work-related purposes.
© The Tory Party 1979, Distribiuted under license.
"Take from the honest, hard working lower classes, give to the freeloaders and criminals"
- ©Labour, probably.
The only real difference between the two above is the top one redistributes upwards mostly and the bottom one redistributes downwards mostly but both feather their own nests and the lot in the middle, the people who work for a living and generate the wealth are the resource from which the redistribution is made.
Biting the hand that feeds IT © 1998–2019