
Facebook Android app sends phone number to Facebook servers without consent - daspianist
http://www.symantec.com/connect/blogs/norton-mobile-insight-discovers-facebook-privacy-leak
======
guelo
Android's take-it-or-leaveit install-time permission model sucks. I just
counted 32 permissions for the Facebook app. When the user goes to install the
app they are supposed to review that long list and decide if they are going to
take it or leave it. The reality is most users have no idea what they're being
asked and just hit Accept. Which means for most practical purposes there is no
permission security.

Much better is the iOS model where there are a select few extra-sensitive
permissions that cause a popup when the app requests it and lets the user
decide if they're going to grant it at runtime, not install time. That lets
the user know what triggered the request and decide if it's legitimate. It
also allows them to continue using an app even if they don't want to share
their location or whatever.

~~~
scott_karana
I agree. I wish Android had denial or "spoofing" of permissions in stock form.

I do appreciate that Android points out even smaller details, however: "access
to your contacts" is one that works without prompting on iOS, if I remember
correctly.

It'd be nice if users could choose both the level of detail _and_ choose
piecemeal.

~~~
rimantas

      > "access to your contacts" is one that works without
      > prompting on iOS, if I remember correctly.
    

It used to work, but was fixed in iOS6.

------
yock
_We reached out to Facebook who investigated the issue and will provide a fix
in their next Facebook for Android release. They stated they did not use or
process the phone numbers and have deleted them from their servers._

What utter garbage. They're really going to claim it was an accident?

~~~
abraham
Facebook never said it was an accident.

~~~
kryten
Indeed.

Facebook are a rotten company like this. They'll throw something out, then
yank it if they get caught. It makes you wonder what we haven't noticed yet.

~~~
kayoone
yep, the whole "move fast and break things" mantra doesnt really suit privacy
concerns.

~~~
smacktoward
"Move fast and don't get caught."

------
andymcsherry
This is pretty standard in Android apps for analytics tracking to use the
phone number, IMEI or other values. A while back, a few production phones
shipped where Settings.Secure.ANDROID_ID returned invalid values (null, the
same value for all devices of that model, etc). This is the reason that most
apps you come across ask for the READ_PHONE_STATE permission.

~~~
Livven
Thanks for mentioning this. It's always annoying when stuff like this is taken
out of context and reinterpreted by people who don't have intimate knowledge
about the topic, resulting in the kind of useless knee-jerk reactions seen in
this comment thread.

If you told the average web-using person that whenever they visit google.com
Google gets to know which internet provider you use and from which country,
possibly even city you come from and which language you speak, they'd probably
freak out thinking it was some evil Google scheme to mine data when in fact,
all that is simply a byproduct of any reasonable logging or analytics solution
that is not special to Google at all.

~~~
pbsdp
> _... they 'd probably freak out thinking it was some evil Google scheme to
> mine data when in fact, all that is simply a byproduct of any reasonable
> logging or analytics solution that is not special to Google at all._

If that's true -- that an objective reasonable observer would think those
things -- perhaps that's indicative of analytics being of questionable ethical
standing.

After all, they enable the massive centralization of extremely far reaching
user data, voluntarily submitted by both applications and websites to
centralized data brokers -- such as Google -- who are not only positioned to
build enormous commercial profiles of users, but also to (be compelled to)
give or sell those profiles to government(s).

------
jbail
You know what the super not cool part is? Tons of Android phones come pre-
packaged with a Facebook app that you can't delete unless you root your phone.

~~~
dschep
Do carriers remove the "Disable" feature in Android 4+ in "Manage Apps?"

~~~
speeder
Several carriers still ship Android 2, specially for cheaper phones (or stupid
phones, like Xperia Play that only supports Android 2...)

Oh, and my Xperia Play came with Facebook for Xperia that integrated a lot
with it and I almost bricked the phone trying to remove it, needed to do some
warranty-breaking stuff to re-install a firmware from scratch.

------
ferdo
"They "trust me". Dumb fucks."

-Zuck

~~~
grbalaffa
In case anyone doubts the reality of this quote:

[http://gawker.com/5636765/facebook-ceo-admits-to-calling-
use...](http://gawker.com/5636765/facebook-ceo-admits-to-calling-users-dumb-
fucks)

~~~
onedev
It's wildly taken out of context.

He said it when he was 19 (!!) in regards to a web form he made where people
submitted their emails, phone numbers, and social security numbers with
nothing else besides that form. The users were indeed stupid as shit in that
situation.

I'd also like to remind you that he's 29 now and running one of the most
successful companies in the world. If you think he hasn't learned something in
the span of 10 years, you're delusional and your comments as well as that
article is sensationalist.

~~~
stfsbrb
Nice try, Zuckerberg.

~~~
onedev
This isn't Reddit. If you can't have intelligent, thoughtful discussion. Go
away and never comment.

You added literally nothing to this conversation.

------
bcRIPster
That's annoying. But an app that's more intrusive in my mind is the Flickr app
which sends your Geo location back to Flickr every single damn time you exit
any camera on your Android phone. Even if you haven't launched Flickr in
weeks/months. It's done this for as long as I've been monitoring the apps on
my phone (a good year now).

I started using LBE to selectively block security requests by apps last Summer
after being required to install an e-mail app on my personal phone for work
that harvests your contact lists and call history. I soon discovered lots of
mischief going on with my phone from all kinds of apps and it was rather
infuriating.

~~~
computerbob
what if you don't have your gps on?

~~~
wutbrodo
Location services can always use data or wifi antennas. I believe most Android
phones have an OS-level option to turn off app access to location from these
sources (otherwise airplane mode would be the only way to do it, I guess).

------
mikecane
Surveillance isn't cool. You know what's cool? Privacy.

~~~
mtp0101
haha, best comment

------
vabmit
As much as I wanted to install their app, I never did because I didn't trust
them. I clicked to the requested permissions screen a few times. But, I just
couldn't get myself to go any further. Now, I feel vindicated for my paranoia.
I'm sure they're doing many more nefarious things.

~~~
eclipxe
Meh. It is just your phone number. What is the big deal?

~~~
ch4ch4
Meh. It is just your ______. What is the big deal?

^This is a slippery slope!

------
cseelus
Facebook grabs or publishes data without users consent. Does that really
surprise anyone anymore?

------
monkmartinez
You don't need Facebook. Kill your profile.

~~~
werid
in case you didn't read the article

"The first time you launch the Facebook application, even before logging in,
your phone number will be sent over the Internet to Facebook servers. You do
not need to provide your phone number, log in, initiate a specific action, or
even need a Facebook account for this to happen."

so an accidental launch is all you need.

~~~
IanCal
You do still need to install and agree to the permissions though. I wonder if
this is in the list.

~~~
werid
facebook comes pre-installed on a lot of phones. can't even remove it without
rooting the phone.

------
akaBruce
That's not so bad compared to the other permissions on there. With Facebook,
I'd guess (maybe incorrectly) you're already listing your phone number on
there and they'll eventually get it anyway. I'd like to know the reason behind
some other things on that permissions list...

[https://play.google.com/store/apps/details?id=com.facebook.k...](https://play.google.com/store/apps/details?id=com.facebook.katana)

* Directly call phone numbers: Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Note that this doesn't allow the app to call emergency numbers. Malicious apps may cost you money by making calls without your confirmation.

* Read phone status and identity: Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

* Write call log: Allows the app to modify your device's call log, including data about incoming and outgoing calls. Malicious apps may use this to erase or modify your call log.

* Read call log: Allows the app to read your device's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.

Account management I can understand. Location makes sense for checking-in and
what not. Reading/modifying contacts also makes sense if you'd like it to
manage your contacts automatically.

The call logs are the ones that really confuse me. The only thing I can think
of that would make sense is charging for Facebook Credits via your carrier and
trying not to confuse the user into thinking they're getting charged twice
(once via the Facebook App and once more via the phone call).

------
tehwebguy
Why is there an API for phone number that does not require user consent?
Facebook and Google are both at fault here.

~~~
guelo
In order to install the app the user has to approve a long list of required
permissions including "read phone status and identity".

------
blinkingled
Between a UI that looks exactly like the mobile page loaded in Chrome/Stock
Browser, draining battery and abusing location/privacy why would anyone want
to use Facebook on their Android phone? Delete it, disable it or just don't
sign in as applicable.

------
Bill_Dimm
That must make it easier for the NSA to link your phone number to your
Facebook account.

~~~
205guy
Bingo!

------
nivla
I thought this was a known fact. Isn't there numerous articles were people
were surprised how Facebook knew and was recommending their
dentist/plumber/clients to be added? Towards the end it turned out to be from
the contact list uploaded from the user's phone.

I am not going to say to avoid FB, but if you really want it on the phone,
please use a non-official version for privacy sake. Atleast on android, they
are less sucky than the official version. One of those times I am happy a
company doesn't make an official version for Windows Phone and the MS version
doesn't suck.

~~~
snom380
Not only that, it seems they will match your phone number if any of your
friends upload their contact list to Facebook.

------
meshko
I assume this is the same app that hacks Dalvik to even work?
([https://www.facebook.com/notes/facebook-engineering/under-
th...](https://www.facebook.com/notes/facebook-engineering/under-the-hood-
dalvik-patch-for-facebook-for-android/10151345597798920))

~~~
interpol_p
It's a shame they had to do that. I find that Android is painful to develop
for.

We had issues where certain Android versions were unable to install our app.
The workaround involved renaming some of our data files to use a .jpg
extension so that they would be treated as image assets and not loaded
entirely into memory on install, causing the device to run out of RAM. (I
forget the exact details, as my coworker discovered the issue and workaround
at the time.)

------
boi_v2
Facebook is the best, why bother ask for your phone number if you already told
them all your life.

------
ivanca
Don't worry guys, the data is only for prism so its in good hands </sarcasm>.

------
ChrisAntaki
If you are afraid of your privacy being violated, why are you using Facebook
in the first place?

------
lucb1e
I'm surprised we're surprised really, to me this is what I'd expect it to do.

------
mcrmonkey
This is something that has been going on for a couple of years you know

------
HackerClues
Don't forget this app comes pre-installed on several phones too..

------
lampe3
in the newest cyanogen mod nightlys there is the new privacy guard. it
basically shows the app a empty contacts lists and other stuff

