This has been a thing for about a month and a bit now. A Facebook engineer posted the following on Reddit[0], explaining the rationale behind the SMS permission:
> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).
The problem with this is that although it's likely true, there is no guarantee that what is done with that permission will not expand in the future.
e.g. Given the explanation that it's only for 2-factor authentication, I accept and install. When the next version is released (which does more with that permission), I see no new permissions required and install.
ericcumbee's suggestion of sending a URI makes much more sense to me. A per-request permissions model would likely need to include a "yes to all" checkbox, which would be checked in short order by the vast majority of users.
I feel like some sort of manual component to two-factor authentication is the whole point (a clickable link, copy+paste, or remembering a 4 digit number).
Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.
It would be much more secure to just force a password login.
>I feel like some sort of manual component to two-factor authentication is the whole point
It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)
>What exactly are we achieving here in terms of security?
Verifying that the phone is still using allowed SIM card/phone number.
If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.
If your phone is stolen you can do the same thing. The app password caching doesn't matter then.
It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.
We are achieving the same security guarantee as before, just without the user pain. All two factor provides in this case is proof that you have the phone associated with your account. Why does it matter if the app does the legwork for you?
We are achieving the same security guarantee as before, just without the user pain.
I'd argue that a corporation other than the phone company being able to read all your text messages is significant pain.
Given that FB seems to want to take over all communication between users (contact list/blog/email/photos/messaging) FB being able to track and access anything you do is the inevitable endpoint of such aspirations, but many people are not comfortable with that, and the farther FB go down that road, the more people they'll alienate.
If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor.
For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.
It's bullshit, I'm sure they have a similar motivation for retrieving running apps. When I bought my Nexus 5 I installed a game on it and was surprised to see on the desktop Facebook constantly asking me to like it. I didn't see it before and now it was there just after I had installed it, it wasn't a coincidence. Turns out the Facebook app has the permission to retrieve running apps, and this obviously happens whether you actually open the app or not, since it's always running in the background. This is fucking bullshit and I'm tired of companies always trying to peer into our lives.
The problem with many permission systems, such as this one, is that the developer of an app can't indicate to the user /why/ it needs a certain permission. Second, that the user cannot allow/disallow the permission at the time of installation, and that the app / app developer can then indicate, like in this case, that automatic two-factor authentication won't work. Which is fine.
tl;dr: Android's permission system does not allow for transparency from the developers. It makes the app developers look like douchebags going 'I WANT TO READ ALL YOUR TEXTS', instead of a 'I'd like to make things a little easier for you by automatically intercepting two-factor authentication texts'.
A better alternative would be to ask the user each time to check if the SMS was received, that would ensure some trust.
You can't just peek into the entirety of user's SMS and justify it's for the security of your users.
At least put an option to give users a choice and not force them to have their their SMS read in the name of innovation, or explain why you read them and that need just that one SMS.
Yes of course. But this allows them to automate that process.
Typical tradeoff: It's a nice feature, but adding it requires permissions that are off-putting to some users. I'm not sure there is a good solution here.
At this point I'm running at least 2 versions behind on the facebook app. I didn't install it last time it asked me to allow it to "Send emails to guests [of events] without host's knowledge" among other things. I see now that they also want to be able to connect and disconnect from WiFi.
The Facebook app is probably the fastest way to find a list of all permissions in the Android system. "Draw over other apps", "Read battery statistics". I don't know what part of facebook requires either of those options, and the mobile version of their website offers me the minimal amount of functionality I need.
The act of writing this comment has made me uninstall the damned thing. Just reclaimed 17.61MB, and probably a fair amount of space in my mind since I'll check Facebook less often.
I'm sure, as the author of the linked article asserts, most people blindly accept the permissioning changes, but I hope this permission-creep starts to cost them installs.
Same here - about running 2 versions behind, at least. I haven't deleted the app yet, but I refuse to give it permission to send or read texts without my knowledge or permission. I don't care what their explanation is for wanting those permissions, but they're not necessary and not something I'm willing to trust Facebook with.
Which caused me to freak out when it first happened. I was furious. I had to stop everything I was doing immediately in order to figure out how to disable it.
I can't possibly state emphatically enough how user-hostile that feature is. It is so disruptive to my thought process...it's nearly as bad as that awful focus-stealing thing that Windows does.
I can understand it might have been unnerving but on the other hand the feature was documented in the change log and in the list of new permissions the app required (in the version chat heads were introduced). Personally I find chat heads convenient and useful
It makes it easier for me to carry on conversations while also doing other things on my phone. If I'm reading something, and someone responds to a message, I can quickly pop open the chat window and respond, then close it and go back to what I was doing. I find that more convenient than going back to the home screen and launching an app from there or the (rather slow) app switching process.
Yes, sometimes it does get in the way of what I'm doing, and in those cases I just swipe the chat head down to the bottom of the screen and it goes away. And considering turning it off is one of the options in the first page of the settings, I'm not really understanding why it would make you furious or think this is user-hostile. Overall it's a pretty unimportant change that is easy to disable if you don't like it.
Yeah this is the update I stopped at too.. Now I might just delete the Facebook app because I hate constantly seeing that there is an update waiting for me.
"view Wi-Fi connections". Hmm, is there a reason it also needs the geolocation permission and that? Are they gathering their own geolocation data bootstrapped from google's somehow?
I did the same. I am several versions behind due to the requests for increased permissions, but this gave me the impetus to finally purge a bunch of applications with updates wanting additional, seemingly unnecessary, permissions. Though it was slow, I liked Bandsintown until a recent update wanted to read my contacts.
Facebook is now wrapped by Tinfoil-Facebook and Twitter is now relegated to the browser.
use cyanogenmod + privacy mode, you can disable what the app can do. for example, you can disable that. app still works, it just gets an empty sms list.
This feature is nowadays called Privacy Guard and it works so well that I have it on by default for all apps. With the exception of apps that actually need to read my contacts (say WhatsApp), I have not had to disable it for any applications and haven't seen any complications. For example Facebook and Twitter apps, which require a whole rainbow of permissions, function just the way they used to. I've never made a lot of use of their location dependent features though and would expect those to suffer from being deprived of GPS data.
I haven't got round to rooting my droid yet, but my plan is to always tell facebook/twitter/google+ that my current position is directly under the moon/iss/some other satilite. Or maybe I'll trace out "Hello FB" on the Atlantic ocean.
This sounds excellent, I can't believe I never tried it yet! Of course, this should be part of core Android, but I guess there is no hope for that (given that Google makes its dough on advertising).
It used to be, called App Ops. It was in for (one?) point release before google promptly withdrew it again after realising that giving people tools to protect their privacy goes against their mission.
According to Google [1], it was never meant to ship at that point as it was not ready for general public. There was some compatibility problems with many applications, so that is somewhat believable.
Of course, they have to spin it some way, because they're years past the point they could be honest and believed. I think it's more likely one google engineer wanted to resist the constant invasion of privacy and likely ended up paying with his job.
App Ops throws SecurityExceptions when you try to access a permission, it doesn't return empty data. You can imagine that most apps didn't build exception handling into the feature access that is required in the manifest at install time. That is the primary reason why it is not a fully public feature for users.
This one is pretty simple, actually. They do obscure AdBlock from the store — if listed in order of popularity instead of being somewhat curated, it’d be at the top of the page. But to your point, imagine they did remove AdBlock from the store. Nerds would stop using Chrome. (Assuming it was not fairly straightforward to install from another source, as is increasingly true.) And we nerds tell our friends and family what browser they should be using. It’d hurt the overall popularity of the browser.
Also, it’s better for Chrome’s security reputation to allow AdBlock from within their store than to allow it from a third-party site. You don’t want to train users that it’s OK to install extensions with broad permissions from anywhere but the Chrome store!
It may become the case in the future that they re-evaluate these priorities, of course.
Unfortunately, Cyanogenmod's Privacy Guard does not block everything (e.g. your IMEI is still readable if permission READ_PHONE_STATE is granted). XPrivacy can help in this case, but its UI is quite convoluted.
Funny you say that, because iOS already has all these little options. What's better, apps still get installed and users don't have to make this decision upfront. When permission is required for the first time, dialog box pops up, and then you can refuse each permission individually - i.e. you can give Facebook access to location so you can check in, but block access to contacts.
It's not without its own faults (and it used to have some huge gaps, such as address book access), but the iOS privacy model is simply a more user-centered paradigm than on Android.
Android apps ask you if you want to update to the new version or stick with the old one indefinitely; privacy settings are non-negotiable. iOS apps ask you as they go: If iOS had an SMS API, Facebook wouldn't need to ask you until you enabled two-factor authentication (assuming that's all they use it for). And you could turn it back off later if you weren't comfortable leaving it on.
Well, they could read all that other stuff by default with no warning previously until all sorts of apps abused it. Then Apple had to add in the prompts for things like reading Contacts. I'd imagine the Android devs are working on similar since the list of permissions model is breaking down.
The iphone has had fine-grained privacy before App Ops was released and then removed, and I also think before CyanogenMod had Privacy Guard. One of the few good things about the platform.
I uninstalled the app and put a bookmark to the mobile site on my homescreen instead (like the old days before app stores). It's slightly slower, but on a Nexus 4, it's still fast enough I don't mind. They've improved the mobile interface since the early iPhone days.
It has menu options to go directly to your news feed, the top of the page, notifications and preferences, so it makes browsing the mobile page easier. It also saves the facebook cookies so you don't have to type your user and password every time you want log in.
I remember that a couple of years ago the mobile website was actually noticeably faster than the app, at least on iOS, and gave you access to more features. Back then I kept the app around just to upload photos, but used the mobile site for everything else.
I am not a Facebook app user since closed my account years ago so maybe not the best person to comment but... I have never understood why one needs an app to view a website? Facebook has a mobile site that works yes?
The app can push notifications to your phone, which is nice for regular users, and it can merge with contacts to fill in blank pictures and provide more information. It's not essential, but some of the integration is nice.
I use FB message to communicate with friends in other countries. I know there are other apps out there for it, but when we all have Facebook already, its easier that way.
Shame on Google for not allowing users to take better control over their apps and privacy. They almost did it in Android 4.3, and then took it back in 4.4, when they realized people might actually use it.
Correcting factual errors is constructive. The post implied that all you need is a Samsung Phone, then you have "Permissions Manager". No mention of an app. But then, when you look at the reviews for the app that is linked above, it doesn't give one a lot of confidence in managing permissions on Android.
I love this app; I've been using it for years now. Never having to login to FB in the actual browser is a real boon; it's great at sandboxing their cookies.
The Wakelock allows the app to wake up when your phone is asleep. My twitter client wants one, but I have notifications turned off. It might be that because I have them turned off it doesn't invoke a Wakelock. But it might. Basically, Wakelocks are the #1 cause of unnecessary battery drain.
I see, thanks. That's what I thought, but I thought that apps rely on push to get notifications. I guess that would not be very scalable, so the client wakes up once every X hours and polls.
At this point, if you care about your privacy, why would you even still have a Facebook account?
I used to think I could be 'safe', that my advanced knowledge of privacy settings and optimised usage patterns could somehow shield me from the fundamental nature of these data monger corporations. But the truth is concepts like cloud and social networking are fundamentally toxic to privacy and freedom.
I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
>At this point, if you care about your privacy, why would you even still have a Facebook account?
You could have a Facebook/Google account under a different name. I have one and its rather useful when websites have an option of logging in using facebook/google accounts.
>I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
You could have a Facebook/Google account under a different name. I have one and its rather useful when websites have an option of logging in using facebook/google accounts.
You can easily be identified by your network of friends. The name of your account doesn't matter.
... but nonetheless it's an important example of the erosion of data privacy. Just as users are getting accustomed to clicking past EULA's so to they click past these permission request screens, and if they don't then the app keeps nagging them ... the user just wants to use the app, so permission granted.
This sucks because even if you don't have the application, you might be texting someone who does... facebook can collect that data too and build profiles of people who don't even have the app or even use facebook.
Other than hand-delivered letters and face-to-face conversation in a secluded space, but then again, how can you trust the person you're communicating with to keep those communiques private?
Like others have said, on Android you can use App Ops, and if you're on 4.4.2, App Ops X ( https://play.google.com/store/apps/details?id=com.colortiger... disclaimer: I developed it).
It still sucks that you're on an "open" platform but you still have to root/jailbreak your phone to keep your privacy.
Cool app, thanks. Is there a place where I can see an explanation for all of these permissions? I have no idea what the difference between "location" and "monitor location" is, for example.
That's what would make intuitive sense, but it also makes intuitive sense that those would be one and the same, given the topic of the article we're commenting on, so I'm still not sure about it.
Access to all your texts is scary, but what about "Add or modify calendar events and send emails to guests without owner's knowledge ...". I feel dirty just reading that - I'm so glad I've broken my Facebook habit.
Facebook's value proposition is going downhill fast. All but the dumbest users are now very careful about what they allow FB to know, if they stay at all. I suggest that their hallowed social graph contains less and less reliable info about the more valuable demographics.
"Read your text messages (SMS or MMS) If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message."
That's a pretty crap feature to use to justify this.
Yep, both Twitter and Facebook's apps seemed to start asking for this permission around the same time - they seem to be oblivious to how scary "Read your text messages" sounds to anyone vaguely concerned about privacy. I'm holding off on updating for now.
The whole idea behind these apps is in gaining access to user's data. This is why in recent versions of Android user cannot control not just what an app could do, but whether or not it should be started automatically.
The "strategy" is very straightforward - first to gain "popularity" offering a reasonable service "for free" and then, after accumulation what they call "user base" they just change the rules (permissions). The idea behind separate "messenger" app is exactly to "hijack" user's messaging service by "forcing itself to be" default messaging app.
I don't even want to talk what kind of spyware Skype is, using exactly the same "strategy" of quietly "adding functionality" and having permissions to do everything.
There is no other "working" way to monetize user's data, but collecting and selling it.
The next level is just adding malware functions in "next version".)
I switched to using the mobile web version of FB on my phone because of this (and made a shortcut to it on the homescreen)... though really it's a losing battle, the real solution is to dump FB altogether.
I will say that the app provides very little that the mobile web version doesn't give you. I don't even notice the difference.
I once talked to CTO of a quite popular app and he mentioned that he finds it best to ask for all permissions you might need upfront (on first install), even if you don't need them yet. Adding them in upgrades later results in lots of customer support questions (and negative reviews).
It is also telling that OP is bothered by "read your messages" permission but doesn't seem to mind "record audio, take pictures and videos" just below it. Just because it is not new?
the one that alarmed me was the permission to alter my calendar and send emails to guests without my knowledge. That's really a step too far for me - it takes away the privacy of my friends.
The best way to prevent this in this app, and many other apps is to use "App Ops" in 4.4 or use CyanogenMod and enable privacy guard and then you can long press on the app and prevent the app from reading SMS and many other things while you are at it.
I wish Google would recognize that it would be beneficial to protect users from this kind of thing by providing a decent management UI that didn't require using CM. Of course, that goes against some of Google's own interests...
App Ops was not an ideal solution anyway. A specific permission couldn't be disabled until after the app used the permission at least once. So the Facebook app could read your SMS when launched, and only then you would be able to disable the permission.
SMS is nothing. There are now many Android apps that demand the right to turn on your microphone any time they want to without notifying you. If you carry an Android phone and are not really careful about permissions you are carrying a wire.
I do not remember which apps specifically stated "without notifying the user", however it was worded and I can't find any permission that specifically states that now but I am pretty sure that with MODIFY_AUDIO_SETTINGS permission it can be done by an app using the AudioRecord object:
Not just Facebook. There are many apps that are overstepping in terms of permissions. I turned off auto-update long ago and removed many offenders, but it seems every app these days is now requesting as many privileges as they can get away with. The general population of users aren't reading the list of new permissions on updates and no one is making these co's explain themselves as to why they need listed permissions. I asked an engineer behind an app I wanted to use that paired with a paid service I love why they needed access to my contacts, considering my contact list wasn't part of the core service. I told him read access to my contacts and full network access made me wary; what would keep them from reading and storing all my contacts on their server? His only response was that they promised not to do anything nefarious. I should not have to root my phone to use apps while protecting my personal data. Android User Profiles sounded very promising to keep private away from social, but my experience testing this feature out on the Nexus 7 was terrible.
Apps do not autoupdate from the Play store if there are new permissions. You have to manually update them. I am not sure if this is a recent change or not as I started using Android with the Nexus 5.
1. This has been a thing for quite a while now, there have been numerous articles about this. This is nothing new, although it may have not rolled out to all users.
3. This is more android permission issue than specifically Facebook app one. Facebook, in order to implement automatic confirmation, didn't really have a choice.
And fwiw, I use the app daily and I've had this update for at least a month and the read sms permission was never used according to various privacy tools which allow you to see, disable and view usage history of app permissions.
Until facebook starts abusing this feature/permission I don't think it's really an issue like most articles about this make it look like.
Why facebook doesn't disable it? Because people use it.
Why don't users disable/deny it? Because you can't select which permissions you want to grant to application upon installation, it's either all or nothing, even though the permissions may never be used.
And it's not really a shitty feature, the auto confirmation is pretty good - the permissions needed for it are shitty though, but they don't really have a choice other than completely disabling that part of application and having users enter the code manually.
What do you mean by that? It asked me if I want it to handle my sms, I said no. It asked me again when I updated to 4.4, I said no again. I can (and will) keep saying no...
I would love this feature if they actually incorporated my SMS history into Hangouts, but unfortunately I can't move or sync messages across phones or view them on my computer.
I suppose they reason that it would be too confusing to the people who would then try to SMS from their computer, as iPhone+Mac users are able to do so... but isn't segmenting my Hangouts history just as confusing?
Only on the latest Android if you buy it that way on very specific phones. For everyone else (read: MOST Android users) an upgrade happened, often from Google Talk, and wound up with a new app with full SMS control without the user knowing.
Well, admittedly my phone isn't bleeding-edge, being a nexus 4, but it runs the latest version of Android and removal of Hangouts does make Messaging the SMS app.
... which is written by Google. The same people who wrote the stock messaging app... and phone's OS. If they want your texts, getting them through the Hangouts app is hardly necessary.
I remember noticing this on a lot more than just facebook. The Android permissions model seems to now be pointless as so many apps ask for pretty much all of the permissions.
The only astounding thing is that people seem surprised.
Also it's a moot point regardless: Facebook can read all my messages to friends on Facebook already, and all their messages to their friends, and everything they publicly and privately share, including photos and videos, and they have access to most e-mail accounts around the globe. My texts are a relatively small deal in comparison.
Asking for SMS (read/send) permissions is a growing trend among mobile apps (Facebook, Facebook Messenger, Twitter, Google Hangouts…).
Most of the time, they're here to make the app slightly more useful to the end user. But at the same time, you're potentially saying "yes" to a company who might, one day, use your most personal info for bleaker purposes.
It's thus something I've always been fighting against (at least at a personal level): I've stuck to the older, non-requiring-SMS-permissions version of these apps until I could upgrade to a version of Android with App Ops, then Cyanogen.
If SMS permissions is where you draw the line regarding your privacy, either run a version of Android with App Ops, or Cyanogen with Privacy Guard.
I find it sad that companies still think most users value simplicity over privacy.
I believe most users seem to value simplicity over privacy, but actually do care about privacy. What's sad is that they don't get vocal enough about it until private information gets exposed.
I noticed they pushed an update to the iOS app too, but those permissions weren't mentioned in the update log. Anyone know if they claim the same access in iOS? There's no granular permissions in the iOS Privacy section to control access to messages.
Twitter is doing the same. It requests access to contacts list, SMS, phone call, phone Identity. I noticed the same and stopped updating. Andiord should enable users to control apps.
I have about 10 apps that I refuse to update, because they want some new permissions that I'm not willing to grant them. It is sometimes hard to find apps that respect your privacy and don't request absurd permissions.
Add Hangouts to the discussion. They incorporated SMS into the app, but the implementation doesn't look complete/polished, let alone the app. So, it doesn't provide me an alternative to the OEM provided messaging app, and at the same time they are accessing my SMS messages.
I personally don't use Facebook on phone now, but I would recommend using a third-party app for accessing Facebook on android. I have used Friendcaster, Fast and Seesmic before and found them pretty decent.
The RSA had a similar new permission recently, the ability to use your camera. With the knowledge of the NSA's backdoor to RSA encryption, I'll continue to refuse the update. I know that I'm being on the paranoid side, but I'd rather be paranoid than blindly accept these kinds of new requests. Facebook is out of control. They are trying to get their hands on as much of your personal data as possible. That alone should be enough for us to quit.
Looks like not many people knew it. If it's available on Android, FB should ask user's permission instead of force them to accept. If it's for the sake of a feature, when user declines, only need to disable that feature.
Reminds me of apps within facebook that want access to post on your wall, and then you uncheck that, but then the app goes "NNOOOOOOO!" and tries to get you to check it just to use the app, even though it does not need such permissions.
What I find more insidious is the new FB app permissions that allow it to read all of your private calendar data. Maybe no big deal for many people, but I put a lot of stuff into my calendar entries that I consider pretty private info.
Ever since Facebook requested permission to paint over other apps, I've refused to upgrade or uninstall just to contribute an infinitesimal amount to the maintenance cost of their software.
Is it possible for another app to interface with facebooks chat or do they prevent this? I remember there used to be chat apps for pc that could do MSN, AIM, Yahoo and a bunch of others.
I don't mind. The Facebook chat has already replaced any texting I'm doing so the only new stuff they will get access to are postal delivery notifications.
It helps expand their social-graph beyond what you've shared on their platform. It also gives them access to geolocation information for users that haven't shared it previously, as photos shared over text messages may contain geo-location coordinate information. It likely also gives them context about where people are, what they're doing, who they're talking to the most, and what they're communicating about so they can deliver more context-aware advertising.
But if you ask them - they'll say it helps them deliver a better experience for their users and helps connect people, and that's what people really want ... to be more-connected.
> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).
[0] http://www.reddit.com/r/WTF/comments/1t5z45/facebook_why_the...