back to article Facebook denies poaching your text messages on Android

Facebook has dismissed allegations in The Sunday Times that the web giant's Android app can hoover text messages from phones as "creative conspiracy theorising". Flatly denying the claim published by the broadsheet at the weekend, the social network's UK office said its app's ability to access text messages was open and …

COMMENTS

This topic is closed for new posts.
  1. Kevin Johnston

    redundant code?

    Wasn't there another company, oft mentioned in conspiracy theories, that used this self-same excuse after a minor privacy issue?

    Just off to Google it to see if I can remember who it was.....

    1. Anonymous Coward
      FAIL

      Re: redundant code?

      What I find interesting here, is the inconsistency of the media's reporting.

      One week it's Android Malware scare stories, they next week, they are pointing out how the permissions based system on Android highlights how some apps have dodgy permissions.

      Surely this story should be highlighting the benefits of Google's permissions system over the "Apple will deal with it" iOS system...

  2. This post has been deleted by its author

    1. Malcolm 1

      Re: reticulating splines

      Nope - that's just the default notification tone. Change it or turn it off entirely in the Facebook app settings ("Notification ringtone")

      1. melt

        Re: Re: reticulating splines

        Strange, the app never did that on mine until the most recent update.

  3. ratfox
    Unhappy

    Standard Android problem

    Every single app asks for every other permission on the book, and there is no way to remove these permissions selectively.

    1. Irongut

      Re: Standard Android problem

      I agree a way to have the app but refuse some permissions would be an improvement but the rest of your comment is not true. Plenty of apps only request the permissions they need and I even have a few that request no permissions at all.

      1. Swedish Chef
        Paris Hilton

        Selective removal of permissions

        If you're not afraid of rooting your phone, there are two excellent third-party solutions to this problem.

        The first one is to install CyanogenMod. Then when you go to Settings --> Apps --> Manage Apps (or wherever you can view an app's details), at the bottom of the screen where the app's permissions are listed, tapping on any permission will toggle it. This is what Google should have added to Android in the first place.

        Downside: this requires a factory reset.

        A more elegant solution is LBE Privacy Guard, a simple app that requires root privileges but can otherwise be installed just like any other app on top of your existing system. Its permission management is not that fine-grained, but it has one huge advantage over CM - instead of actually giving the app a slap on the wrist when it attempts to use a permission that has been revoked, it'll intercept the API call and feed it false information.

        I've used both solutions (separately) for some time and prefer LBE Privacy Guard because it's more elegant: ...

        An app that wants to use a revoked privilege on CM will get an "access denied" message. Some apps aren't designed to cope with this and will crash.

        An app guarded by LBE PG on the other hand will simply see an empty phone book, an empty message list, a phone serial number consisting of all zeroes, etc. depending on the permissions you've revoked. It's tricked into believing it still has the revoked privilege but there's simply no data worth looting.

        In addition to granting and revoking permissions, LBE PG can also be set to ask or alert you each time an app wants to use a certain privilege.

        Paris, because she's been rooted countless times.

    2. Anonymous Coward
      Anonymous Coward

      Re: Standard Android problem

      Cyanogenmod lets you revoke permissions on a per-app basis. It can lead to unstable apps however.

      I always considered the facebook app to be far too permission hungry for my liking, I just go through the mobile web.

      1. g e

        Re: Cyanogen

        Which is exactly the sort of feature that must find its way into the Android core.

        1. countd
          Headmaster

          Re: Re: Cyanogen

          IIRC, one of the Android engineers specifically stated that this won't happen. It would potentially cause a wave of support requests and of crashing apps being voted down if they made this feature available in stock Android and it was utilised by the less than clueful.

          1. Darryl

            Re: Re: Re: Cyanogen

            It's too bad, because if people could block apps from having access that they don't need to do what they advertise, and then the apps crashed and then got downvoted, it might force the developers to build better apps that don't need access to your address book to show the time and date.

      2. Craigness

        Re: Re: Standard Android problem

        Mobile web for me too. Unfortunately the FB app is preinstalled on the latest HTC ROM update. I don't use it because of the SMS-reading issue, but there is a process under the FB app called UploadManager, which starts automatically and can't be turned off. I naturally wonder why they want permission to read my messages and what they're uploading to where.

    3. Chet Mannly

      Re: Standard Android problem

      Get LBE Privacy Guard - it allows you to block access to contacts, call logs, SMS, data, wifi etc selectively by app.

      Its also free - problem solved.

  4. Mystic Megabyte
    Unhappy

    Can I copyright my face so that I can sue Facebook if I find a single image of myself on it ?

    1. sabba
      Paris Hilton

      Any other body parts you might need to copyright?

      (just in case of course)

      Although strictly speaking, I think your parents might be able to support a claim of prior use.

      Paris - cos' she'd keep the copyright honchos (aka parasites) busy

  5. Patrick O'Reilly

    Dormant My Ass

    If they're not using that code, then they don't need that permission and it should be removed.

    If they do introduce a new feature that uses, then change the app permissions so the user is prompted to accept the app permissions again with the text message access hightlighted as new.

    Youtube accessing the camera isn't an issue at all, the Youtube can invoke the camera so that you can take videos to post to Youtube.

  6. xyz Silver badge
    Devil

    mmmmm....can't be long before...

    ....FB automtically starts recording everything on a phone and around a phone when that phone is automatically seen (GPS wise) to have entered a "zone of interest." Somewhere between FB's "dormant code" and Google's "oops...rogue staff member" there's some right dodgy sh*t going down. I'm away to start polishing me tinfoil hat.

  7. Mark C Casey

    @ratfox

    If your phone is rooted then you can install something like "LBE Privacy Guard" and selectively enable/disable permissions for apps.

  8. Irongut

    If you're testing something internally then why does the public available app request those permissions? You can do your internal test with a private version of the app installed from an internal server.

    I don't use FB but if I did I would have rejected their app on the basis that it doesn't need that permission.

  9. heyrick Silver badge

    FaceBook with SMSs?

    They'd better watch it, some places and providers don't include unlimited SMS as part of their plan. Sure, they're cheap on my contract, but enough of them will add up to a shock. Having just looked at the permissions requested (damn Xperia Mini is full of "social networking" rubbish that I don't want, and a lot of it starts at start-up (until I kill it, that is)), I'm less concerned FB can look at my texts and more concerned it wants the ability to send texts. This, filed rightly, under "Services which can cost you money"...

    As for YouTube, the one on my phone doesn't claim a right to access the camera at all. I think it just tasks off the video recording job to the built in recorder - better that way as it would offer a consistent UI.

  10. Gerard Krupa

    Not evil just incompetent

    So if they're not conspiratorial, they need to learn how to use SCM so they don't need to dump test code in their released app.

    1. Tom 35

      Re: Not evil just incompetent

      Unless the test is to see if people install the app anyway...

  11. Anonymous Coward
    Anonymous Coward

    One major reason many Android apps request far more permissions than necessary is that, if permissions change in a future update, the automatic update and "update all" features of Android won't work for that app and the update will need to be installed manually.

    If Facebook were to provide a SMS service later on, users would need to go and manually install the new version. To make matters worse the "Update (manual)" message is shown in red as if it was some error. When faced with this many non-geek users will simply not install the update.

    By simply requiring all foreseeable permissions from the start the app avoids this. It's bad practice but developers are stuck between a rock and a hard place with this one.

    1. Gordon 10

      Then they should pressure google to fix whatever design flaw that stops the apps from requesting changed permissions on update.

      What they should do is request permissions they don't need at the moment.

      Seems like an android weakness tbh.

      1. Craigness
        WTF?

        This is an Android strength. If version 1 has no permissions but can be automatically updated without the user's knowledge to send SMS to premium rate numbers then Android WOULD have a flaw.

      2. Robert Carnegie Silver badge

        I'm not an expert but I believe that already works.

        For instance, I think Google Maps recently added an "NFC" permission - or something else did. As far as I remember, it was conspicuously highlighted. I don't have NFC hardware so I wasn't worried. But Google Maps uses a -lot- of permissions.

        I generally don't allow any app to update automatically. If I did, then I assume that an added permission would stop that from happening. But to take that as an argument to install originally with permissions that your app -might- want to use some day is moronic, IMO.

        Another option, I think, is to publish your app in different versions, with different permissions fOr each. But I don't know if you can replace one with another. Paid and free (ad-supported) product versions are an example: the "free" ediition needs to go to the Internet to download advertisements to show you, the paid product maybe doesn't require Internet permission.

    2. Craigness

      Meatvisor, the facebook app did not require this permission from that start. When the permission was introduced, people had to manually update (but some of us uninstalled instead) even though there was "no need" for the permission to be added.

      1. Anonymous Coward
        Anonymous Coward

        Craigness, the Facebook app has been requesting that permission since version 1.5.4, launched April 2011. That's nearly a year ago.

        At the time many got the manual update notice and choose to deinstall the app instead. This just reinforces my point: if companies make such permission changes so visible during updates, many users will either not update or worse - they'll *remove* the app. If a company just puts in all permissions from the start most won't ever notice.

        Several phones come with the Facebook app already installed, many with the newer version where the SMS permission was already accepted. These users wouldn't even know the app could access their text messages.

        Also can you explain the Youtube app needing access to the camera if not for future proofing?

        Android's permissions may sound great in theory but recent news like this show that in practice the mechanism sucks. Sorry you can't see this.

        1. Craigness
          WTF?

          I got my phone in April 2011 and I installed FB back then. The update for the SMS stuff was much later. They changed the permission and some people decided not to update, which shows that the permissions mechanism is awesome - I was using the old version of the app for ages and didn't have to worry about what FB could do to me! On lesser operating systems you just get what you're given.

          Can you explain why the Youtube app has not requested every permission in the book?

          Can you explain why developers, believing that people will not install the app if it requests permission to read their SMS, will make version 1.0 of the app request permission to read their SMS even if it doesn't use that permission? Some people decided not to update FB but there may have been others who updated it in spite of the new permission, simply because they had become accustomed to using the app and wanted the new functions. They might never have installed it if it had always required that permission.

          Your hypothesis does not support the facts and it makes no sense.

  12. g e

    The fact that I wouldn't be surprised if it were true

    Says so much about the reputation FarceBork has earned itself than whether or not it's actually true.

    Whenever I tried to do something in the FB app the GPS icon came on.

    Uninstalled it.

    1. This post has been deleted by its author

      1. g e

        Re: Re: The fact that I wouldn't be surprised if it were true

        Google lubz my info's

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Re: Re: The fact that I wouldn't be surprised if it were true

          Fortunately you didn't remove the Youtube app with its camera permissions so I watched you bating over the latest Android activation figures - it wasn't a pretty sight.

  13. Anonymous Coward
    Black Helicopters

    If I look at my selection of "suggested" chat buddies in the bottom right of the facebook screen then most of them are people who have text me at some point recently. I understand if they have inboxed me on facebook, but SMS? Hmm.I was always cautious of this and raised this point with a mate who also doesn't trust it.

    Oh, and I don't ever use facebook chat as i'm permanently offline.

    I also hate the fact that if I leave GPS switched on but not active, logging into the app fires up my GPS for an obvious location report. I think I'll go the way of others and use the mobile site from now on.

    1. scarshapedstar
      Thumb Down

      Paranoia

      None of the people I've texted in the past month are in my Facebook chat list.

  14. Matthew 3

    BlackBerry

    About six months ago I binned my BlackBerry in favour of Android. And I've found that the permissions handling on Android seems to be all about the app's author and not the device's owner.

    An example: I used to use a newspaper app on my BlackBerry but not permit the connections it wanted to make in order to display in-line advertisements. I liked that capability but I'm pretty sure the authors didn't.

  15. oldredlion
    WTF?

    Why would anyone want an app to write something to an message they are sending?

    It must be for advertising purposes so why would someone want to do that?

    1. Anonymous Coward
      Anonymous Coward

      It could also be like Angry Birds does, to enable network billing:

      http://www.androidcentral.com/rovio-explains-why-angry-birds-update-needs-sms-permission

  16. Frank Bitterlich

    Oh, well, that's OK then...

    ... so you want permission to snoop around in my stuff, you're just not actually doing it.

    ███████ TRUST ███ ██████ US ██████, ALL ███ ███ IS ██████ WELL. ██████ WE'RE ███ ██████ NOT █████████ EVIL. YOUR █████████ FACEBOOK

  17. mikeyboosh
    Thumb Up

    Use tinfoil for android.

    1. I Like Heckling Silver badge

      Excellent recommendation, now installed on my phone, can't uninstall the 2 FB apps that came with it though, one is FB and the other is FB for HTC sense, but at least I can force stop them.

      Maybe it's time to look into rooting the phone.

  18. sisk

    Not a bad thing

    "The permissions issue is as much one for Google as Facebook: Apple's iOS walls off certain phone functions from third-party apps - including text messages and phone functions. But on Android phones that information is accessible to apps, provided the user agrees on downloading the app."

    So in other words: Android allows apps to ask your permission to gain functionality that is impossible on iOS. Why are you trying to paint this as a bad thing? More capability is a GOOD thing, especially when it requires explicit permission from the user.

  19. Tringle
    FAIL

    Just say no

    When I switch my 'phone on I get a T&C accept decline for Faecesbook every time. And every time I tap 'no'.

    Simples.

    Pity the FB app can't be uninstalled totally. I have absolutely no use for it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just say no

      What about the Youtube app that records from your camera at any time?

      1. scarshapedstar

        Re: Re: Just say no

        There are not two separate camera permissions, one reading "allows the camera to record at any time" and "allows the camera to record when the users tells it to". If you don't trust Youtube you shouldn't trust any camera app for Android, because they all have the same goddamn permission.

      2. sisk

        Re: Re: Just say no

        OF COURSE YouTube records from your camera. How else are you going to create and upload a video from your phone? Trying to paint that particular permission is a sinister light is just plain silly.

  20. Anonymous Coward
    WTF?

    What puzzles me

    What puzzles me is why anyone would say yes to these types of permissions.

    Some of the apps I find interesting on the Google marketplace ask for a bewildering array of permission that have absolutely nothing to do with their core function, web advertising accepted of course.

    1. scarshapedstar
      Boffin

      Re: What puzzles me

      In a word, share buttons. "Tell your friends!"

      Share via SMS? "Read and send text messages" permission.

      Share via Facebook? "Full internet access" permission.

      Share via Gmail? Google account permission.

      Share via other email? Email account permission.

      You might think there's some built-in ShareButton class that lets every app do all these ubiquitous tasks without special permissions. Nope.

  21. scarshapedstar
    Boffin

    "Allows application to take pictures and videos with the camera. This allows the application at any time to collect images the camera is seeing."

    Right. Because there's a goddamn record button in the app. You hit the little camera, it starts recording, and when you're finished it automatically uploads it to Youtube.

    Without the camera permission, you cannot record video, even if the user gets on their knees and begs. They're worded for maximum caution but basically anything reasonably fancy - accessing the SD card, for example - requires a permission. Even if the app isn't snooping around, it can't read or write on the SD card unless the user OK's it.

  22. Gil Grissum
    Pint

    Glad I left Android behind

    Thank Goodness the Walled Garden doesn't allow this Facebook mockery of privacy. There is no reason for a Facebook app to need access to any personal information on my phone, including text. If it's "internal testing" then they should have that function on their INTERNAL PHONES, not phones outside of Facebook. It's a well known fact that both Facebook and Google want as much of your personal info as they can get. Android? No thanks!!!

  23. JaitcH
    WTF?

    "a piece of dormant code used to run a limited internal test of a new feature,"

    Sees this is parrotted by every company starting with Apples tracking software,

    Since so many companies have proved they cannot be trusted, it is time the politicians stepped in and put an end to it.

  24. ChrisM

    Yes, those paragons of morality in our political class....

    They can sort it all out, until the cheque book is waved at them

  25. Paul 87

    One of the reasons I haven't updated my Android app in *ages*, I don't want the new features, I just want to read my FB wall and post comments.

    I wish it were profitable for developers to make these kind of applications far more modular in nature, letting us pick and chose the functionality we want, instead of having their latest idea shoved down our throats

  26. Doug Glass
    Go

    Gotta love 'em ....

    .... old re-activated dumb phones, DuckDuckGo and what's Facebook? Sheople got to be connected and provide the rest of us with entertainment.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gotta love 'em ....

      We really need a version of Godwin's Law that relates to shills inserting "DuckDuckGo" into responses for no apparent reason and with no relevance to the article to which they are replying.

  27. Azzy

    We need a way to install an app while selectively denying permissions

    Let the user selectively deny permissions - or at least "serious" permissions, like SMS and phone control - with a note that the app might not work correctly. If the code attempts to use those requested-but-denied permissions, either return default values (for functions that gather information), or return an error for functions that do things.

    Apps would be expected to be able to behave well if those permissions are denied - of course, they could check that they were denied, and if it was essential to the functioning of the app (for example, an SMS messenger app), notify the user that the app needs the missing permission.

  28. Anonymous Coward
    Anonymous Coward

    DuckDuckGo

    WTF

  29. Winkypop Silver badge
    Devil

    Facebook

    I've heard of that!

  30. Anonymous Coward
    Meh

    No to Android

    This is why I won't touch an Android phone. Someone (Google and others) want as much info as they can get on their users. No I don't do Apple either. I was on Facebook until late last year. I deleted my account. I don't miss it. We all have a choice don't we? Use it or don't use it. Simples. And just for the hell of it - Duckduckgo :-D

  31. mitch 2
    Big Brother

    Quack!

    oops, sorry.

This topic is closed for new posts.

Other stories you might like