Why Does Facebook Need To Read My Text Messages? 293
DavidGilbert99 writes "Facebook updates its Android app quite a lot, but the latest version asks for some rather odd permissions. Rolling out in the UK this week, some users have noticed that it now wants permission to read your text messages. While most suspected Facebook wanted to access the data to try and serve you more targeted ads, Facebook says it is only so it can facilitate two-factor authentication...apparently."
Actually one of my beefs (Score:5, Interesting)
Android needs to add two levels of permissions for much of this stuff. You basically have to ask for everything or nothing. I wanted to check network state in my current app, which requires asking for permission to change the user's networks. I don't want to change their networks. I just want to see if the network is up.
Removed app + hidden services from ROM long ago (Score:5, Interesting)
I couldn't be happier now that I've completely purged Facebook and its hidden (SNS, not a typo) services from my ROM and phone, and frozen/deleted all of the other assets in other apps that try to "phone home" to Facebook. Side benefit is that after removing Facebook from my phone, I gained seven solid HOURS of battery life back. I didn't realize how often the SNS service and Facebook itself were sending and receiving data, phoning home, etc.
The combination of Android Permission Manager [google.com], DroidWall [google.com] and LBE Security Master [lbesec.com] have made things much easier to block, delete, drop packets, deny and forbid services from trying to use unnecessary permissions.
I guarantee that no app is doing what it shouldn't, and those that should have permissions (Camera => Take Photos Permission) are prompted every time they attempt to do so, never allowed by default. If I'm not using the Camera for example, and I get a popup that it tried to take a photo, I permanently deny it and remove/uninstall the app. I don't tolerate any of that out-of-band behavior on my phone.
You should investigate the same. Yes, we all know about the L4 kernel, but this at least will help remove the abuse from the application level.
Re:Actually one of my beefs (Score:4, Interesting)
The problem is that such granular permissions are too complex for most users to understand. It's not such a good security model. Think about how endless permission messages on Vista lead to people blindly clicking "OK" all the time. Think about how parents were quickly trained by their kids to enter their PIN every time the iPad required it to play some game.
Permissions are a very hard problem to solve, but I think the Android way of presenting them all up front at a high level does at least make it easy and most importantly very low time/irritation cost for the user to check them. Most people seem to be cottoning on to the fact that flashlight apps don't need network or phone access. Maybe power users could have a box to tick for extended granular permissions, but of course such users can get them via an app because they already have root.
Re:SubjectsInCommentsAreStupid (Score:5, Interesting)
My battery life has improved a bit. Also recently uninstalled Google Talk (now called "Hangouts (Replaces Google Talk)") because it started asking for access to my text messages as well.
That shouldn't come as too much of a surprise, since Hangouts is the app for text messaging these days. I just upgraded to a new Nexus 5, for example, and there is no separate Messaging app. Hangouts handles that function by default.
Moving back on-topic, App Ops X is a good start, and I'm disappointed with Google for removing this function from the base system and making it increasingly difficult to install and use. Ideally I'd prefer for users to have complete control over permissions, in a way which is completely transparent to the app. The app doesn't need to know that network access is blocked; it just gets a "no signal" response, or "destination unreachable" when attempting to access particular domains. It doesn't need to know that you've restricted access to the contact list; it just gets its own, private contact list. It doesn't need to know you've restricted location access, it just sees "acquiring GPS signal...". And so on. If the app can see what you've restricted, then the app can be designed to refuse to function until you've removed the restriction, which defeats the whole point. The sandbox approach is the only reasonable way to have fine-grained permissions under the user's control.
Re:Think of the children (Score:4, Interesting)
And if bloatware on your phone is eating your private messages and sending them off to a company you never signed up for an account with, would you know?
Re:Why use their app? (Score:4, Interesting)
So that Google can provide geolocation for devices without GPS by fingerprinting the signal strength patterns and access point names you see. They also use it for road traffic reports - where do you think Google Maps gets its traffic data from?
Re:Why use their app? (Score:4, Interesting)
So that Google can provide geolocation for devices without GPS by fingerprinting the signal strength patterns and access point names you see. They also use it for road traffic reports - where do you think Google Maps gets its traffic data from?
Exactly. When I activated a new Nexus tablet it explained in plain language about the Google Location Reporting (how they get data for the wifi geolocation you mention) and ask whether or not one wishes to activate it or not.
You can disable it in Settings --> Location --> Google Location Reporting. Turning GLR off does not interfere with other location-related things (for example, you can turn off GLR but still use the geolocation functions in Google Maps or other apps).