back to article Facebook Android app caught seeking 'superuser' clearance

Social networking giant and market-leading data broker Facebook is once again taking heat for playing fast and loose with its access to personal information. This time, it's the Facebook Android app that is under the spotlight after folks noticed it requesting an extraordinary amount of access privileges – specifically, …

Page:

  1. OffBeatMammal

    removing the FB app from my phone (a few years ago now - https://offbeatmammal.com/2014/01/14/why-i-uninstalled-facebook-and-your-app-might-be-next/) feels like a very smart decision now. Their permission (and data grab) has always been pretty egregious but coupled with their track record of bad behaviour means they (and Whatsapp etc) have no place on any of my devices unless I can block pretty much every permission request.

    1. Voland's right hand Silver badge

      First thing to disable on a new phone (disabled on all phones in the household).

      Second is Tw*tter

      Third is GooTube.

      Fourth is the new slurp verion of the Android Email app that actually shoves your mail to Google - K9 instead.

      That is the minimum "surgery" reqs before use.

      1. JimmyPage Silver badge
        FAIL

        RE: First thing to disable on a new phone

        Why disable ?

        I wouldn't buy a phone with it installed to start with. Which rules out all network branded phones.

        1. Peter Quirk

          Re: RE: First thing to disable on a new phone

          On my non-carrier, unlocked Samsung S9, Facebook is classified a a SYSTEM APP, which cannot be uninstalled!

  2. Andrew Downes

    Sorry, but it's a very poor sensationalist article

    I wouldn't normally defend Facebook and I don't run the app.

    BUT "superuser" is a feature *only* on rooted android phones. Facebook pointed this out in their response, why couldn't el reg?

    Could the user just decline the permission? There's no claim that the app stopped working if the user did?

    If you root your phone you're taking bigger risks than your Facebook data. You should understand what you're doing (obviously some don't). You changed a fundamental feature of the OS and voided any warranty. Why expect app developers to test on rooted devices anyway?

    You don't even need root to install a modded OS like lineage, just an unlocked bootloader.

    1. Tim99 Silver badge
      Coat

      Re: Sorry, but it's a very poor sensationalist article

      "BUT "superuser" is a feature *only* on rooted android phones. Facebook pointed this out in their response, why couldn't el reg?

      You do know that the TLA's are particularly interested in people who root their android device? Obviously the only reason someone would want to do that is to avoid the "normal" tracking built into any Google based system, so they are probably potential terrorists...

    2. Voland's right hand Silver badge

      Re: Sorry, but it's a very poor sensationalist article

      BUT "superuser" is a feature *only* on rooted android phones. Facebook pointed this out in their response, why couldn't el reg?

      Which is exactly why this is a Hanlon Razor case - do not seek malice where stupidity will suffice.

      F***book has a RIDICULOUS permission list on a normal phone. It asks for nearly everything. Here is the list after purging duplicates resulting from permission name changes across Android versions (make sure you are sitting comfortably and do not fall off your chair):

      This app has access to:

      Device & app history: retrieve running apps

      Identity: find accounts on the device, add or remove accounts. read your own contact card

      Calendar: read calendar events plus confidential information, add or modify calendar events and send email to guests without owners' knowledge

      Contacts: find accounts on the device, read your contacts, modify your contacts

      Location: approximate location (network-based), precise location (GPS and network-based)

      SMS: read your text messages (SMS or MMS)

      Phone: read phone status and identity

      Photos / Media / Files: read the contents of your USB storage, modify or delete the contents of your USB storage

      Storage: read the contents of your USB storage, modify or delete the contents of your USB storage

      Camera:take pictures and videos

      Microphone: record audio

      Wi-Fi connection information: view Wi-Fi connections

      Device ID & call information: read phone status and identity

      Phone: directly call phone numbers, read phone status and identity

      Phone: read call log, read phone status and identity, write call log

      Identity: find accounts on the device

      Contacts: find accounts on the device

      Identity: find accounts on the device, add or remove accounts

      Other: download files without notification, receive data from Internet, adjust your wallpaper size, view network connections, create accounts and set passwords, read battery statistics, pair with Bluetooth devices, access Bluetooth settings, send sticky broadcast, change network connectivity, connect and disconnect from Wi-Fi, full network access, change your audio settings, read sync settings, run at startup, draw over other apps, control vibration, prevent device from sleeping, modify system settings, toggle sync on and off, install shortcuts, read Google service configuration,

      change network connectivity, reorder running apps, set wallpaper

      I believe that this is all permissions known to Android +/- one or two. So someone in their development team got lazy and decided that "if I am on a rooted phone I might as well just ask for everything at once".

    3. Anonymous Coward
      Anonymous Coward

      Re: Sorry, but it's a very poor sensationalist article

      Indeed, this is obviously clickbait low quality "journalism".

      The key paragraph missed out the very key word rooted (which means I applies to a miniscule percentage of devices).

      "For Android devices, the "superuser" classification would basically grant an app full access to the device.

      This needs the word rooted or modified to make it anything but click bait

      No wonder so many iPhone cretins have their tiny brains filled with so much Android misinformation, when they media spews it into their mouths.

    4. mark l 2 Silver badge

      Re: Sorry, but it's a very poor sensationalist article

      I rooted my phone so i could uninstall system apps that I could not remove by any other way, also rooting allowed me to install AFWall firewall app which allows me to control which apps can get access to the internet.

      A firewall apps should really come installed by default so i don't need to root to install one. I tried norootfirewall which worked well but would not work with tethering enabled

      1. GIRZiM

        Re: A firewall apps should really come installed by default

        The best non-root firewall I've found so far is NetPatch Firewall - the domain blocking is really useful for preventing ad-slinging networks from cluttering up my display.

        On a rooted phone it is, naturally, even more powerful.

    5. Chronos Silver badge
      Facepalm

      Re: Sorry, but it's a very poor sensationalist article

      The takeaway from this article is that FB devs don't really know exactly which permissions they're asking for so they're taking the cluster bomb approach, as in ask for everything. Android permissions are granular for a very good reason and, on Lineage, they're thrust in your face at every opportunity to give you a choice if you have privacy guard enabled by default.

      One wonders just what other permissions they have "accidentally" requested on install if they can "overlook" a root request. Send premium texts? Activate the camera or mic? Dial 09 numbers?

      FB is looking more and more toxic by the second.

      . <- and that's the point

  3. The Boojum

    "We <del>do not</del> need <del>or</del> and want these permissions, and we have already fixed this issue to extend it to all Android phones. We apologize for any confusion,” Facebook commented.

  4. CommanderGalaxian
    Facepalm

    So Facebook's response is to shoot the messenger basically

    "...caused a small number of people running the Facebook app and certain permission management apps on rooted Android phones to see a request for additional access permissions..."

    How unfortunate that some people spotted those super user requests, if only every Android user had been a sheep...

    1. cd

      Re: So Facebook's response is to shoot the messenger basically

      Android users are electric sheep.

      1. gerdesj Silver badge

        Re: So Facebook's response is to shoot the messenger basically

        Dream of electric sheep (possibly).

  5. Joseph Haig

    Just don't use the app

    You can still use Facebook in the mobile browser and get most of the functionality. It will tell you that you need the app for viewing messages but that is a lie and they are accessible by using a non-standard browser such as Opera.

  6. Anonymous Coward
    Anonymous Coward

    PR manual needs update

    The proverbial "a small number of people were affected" is getting a bit tired.

  7. Jamie Jones Silver badge

    Conspiracy theories

    However much you hate facebook, they'd never do this intentionally... (Though, maybe a rogue person intent on causing them damage was the culprit?

    1. noboard

      Re: Conspiracy theories

      You really need a joke icon* with that comment.

      *As I can't see icons on any of the posts, my apologies if you have put one on.

  8. Wolfclaw Silver badge

    Translation of FB press release, oh sh!t we got caught again trying to mine user details, quick come up with a lame bug excuse, say sorry, remove it and wait a few months for the world to forget before we introduce the next privacy invading feature.

  9. Anonymous Coward
    Anonymous Coward

    Lord Zuck is pushing his luck

    Your data he shall suck.

  10. Paul 195

    The Facebook app is a resource hogging PITA. I went back to using the mobile version of the website about a year before I finally quit using FB completely. There are very few mobile apps that couldn't be simply replaced by a decent website, and then you don't have to play security bingo while you try to work out whether all the permissions being requested are actually reasonable.

    1. Anonymous Coward
      Anonymous Coward

      Until those mobile websites are hacked and you get hit with drive-by attacks...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019