Blog: Android
App creep: Facebook security issues
Smartphones have changed most peoples’ lives. Instead of a simple device for making the odd phone call, sending texts and playing the odd game of snake, most of us carry around a miniature computer with a decent, persistent Internet connection.
So we can now use Wikipedia to win pub arguments, watch funny videos, distract ourselves whilst looking after the kids or even do serious stuff like banking or email whilst mobile.
With these always-on always connected facilities, they are also used for social media with specialised apps that alert you when you have messages, or that the next post in an online, unsolvable argument has been made hastening you towards invoking Godwin’s law and losing the discussion.
Initially these apps came with minimal permissions to do their job: reading contacts list, accessing the Internet etc. However, over time more and more permissions have been added. This permission creep means that now they now demand access to pretty much everything on your device before you can download them. It’s a safe bet to say that they don’t need all the services they want access to in order to provide the functions they provide by the way.
As an example, here is the permissions that the Facebook app and its companion messenger app currently ask for on Android:
| Permission | Facebook: | Messenger: |
| Add or modify calendar events and send email to guests without owners’ knowledge | x | x |
| Add or remove accounts | x | |
| Adjust your wallpaper size | x | |
| Approximate location (network based) | x | x |
| Change network connectivity | x | x |
| Change your audio settings | x | x |
| Connect and disconnect from Wi-Fi | x | |
| Control vibration | x | x |
| Create accounts and set passwords | x | |
| Directly call phone numbers | x | x |
| Download files without notification | x | x |
| Draw over other apps | x | x |
| Edit your text messages (SMS or MMS) | x | |
| Expand/collapse status bar | x | |
| Find accounts on the device | x | x |
| Full network access | x | x |
| Install shortcuts | x | x |
| Modify or delete the contents of your USB storage | x | x |
| Modify your contacts | x | x |
| Precise location (GPS and network based) | x | x |
| Prevent phone from sleeping | x | x |
| Read battery statistics | x | x |
| Read calendar events plus confidential information | x | |
| Read call log | x | |
| Read Google service configuration | x | x |
| Read phone status and identity | x | x |
| Read sync settings | x | x |
| Read your contacts | x | x |
| Read your own contact card | x | x |
| Read your text messages (SMS or MMS) | x | x |
| Receive data from the Internet | x | x |
| Receive text messages (MMS) | x | |
| Receive text messages (SMS) | x | |
| Record audio | x | x |
| Reorder running apps | x | |
| Retrieve running apps | x | |
| Run at startup | x | x |
| Send SMS messages | x | |
| Send sticky broadcast | x | |
| Set wallpaper | x | |
| Take pictures and videos | x | x |
| Test access to protected storage | x | x |
| Toggle sync on and off | x | |
| View network connections | x | x |
| View Wi-Fi connections | x | x |
That, in technical terms, is a SHED LOAD of permissions, which can allow Facebook to gather loads of information about you, your location, your contacts with friends and can even overlay other applications. To be fair to Facebook, this is information that they aim to get so that they can target advertising more directly at you, so that they can get more advertisers to pay for targeted adverts.
Personally this is too much information to divest for me. I’d been holding back upgrading the app for a while anyway, and when I saw the messenger companion being enforced that was it, enough for me.
So, most of us run Facebook (or Google Plus, or LinkedIn, or Twitter) through a web browser on our PCs, why do we do it differently on our mobile phones? Is it possible to get the full Facebook experience without installing the app?
Yes it is, I’ve now been running it on a separate browser, exclusively dedicated to Facebook (see my top tips for internet privacy post for why I do this) and it’s not that bad. It takes a while to get used to the differences in interface, but that’s about it. If anything it’s slightly better as I no long get a vibration and flashing blue light to remind me to get into arguments with other people.
So, don’t allow permission creep on apps, use a web browser and protect your privacy!
