
iPhone protected you from Facebook call scraping. Android, not so much - Froyoh
https://www.imore.com/iphone-protected-you-facebook-call-scraping-android-not-so-much
======
sjwright
There are two major philosophical differences between Google and Apple which
led to this outcome.

The first is the difference in business model, i.e. advertising versus whole-
product.

The second is that Google starts with a permissive ecosystem mindset and locks
stuff down as they go along; Apple starts with a conservative mindset and
opens stuff up as they go along. Neither approach is inherently better than
the other—the competing platforms are converging towards equilibrium—but
Apple's approach does prove to have the upper hand when it comes to consumer
privacy.

~~~
sjwright
The amusing thing is how much flack Apple received early on for their closed
product approach.

It's arguable that Google traded heavily on the relative freedom of the
Android platform, and sucked in a lot of early adopter / tinkerer types on the
promise of openness. Kind of ironic that for most people, most of the time,
the open source nature of Android is now barely a historical footnote.

~~~
piracykills
> barely a historical footnote.

Certainly not for those tinkerer types. Often it's the tinkerer types who are
concerned about privacy, and it's those types who install Copperhead OS or
XPrivacy, which allows you to deny exactly this kind of thing. Not only that,
but it'll let you block all those smaller ways of spying - like unique device
IDs being phoned home to 6 different ad, analytics and crash handling services
that the silly game you just installed uses.

It's hard for me to imagine using a phone on which I see ads, especially on
YouTube, can't background apps like SSH clients, syncthing, even direct IMAP
and SIP connections used to be a struggle for people on iOS (still may be?) or
run app that Google/Apple have decided are evil piracy tools, like a manga
reader or a torrent client manager and search tool. I have friends who even
run emulators and use memory editors to cheat at mobile games regularly on
their phones... very, very different models. Android is just a lot more
flexible for a tinkerer to this day. All this is possible without exploits on
most devices, allowed and accepted by many manufacturers.

There's this weird attitude on HN I see frequently where it seems like
everything has to be "for the masses" for it to be of any value - tinkering by
definition is not for the masses. Android devices probably shouldn't be for
the masses, but for tinkerers, they really do pack a respectable punch in my
opinion.

~~~
sjwright
> _Certainly not for those tinkerer types._

Hence why I said most.

But even then I think you're still massively overstating it. 6-10 years ago
nearly everyone in my circle of geeky friends and colleagues had a root-kitted
Android (Cyanogenmod or similar) or a jailbroken iPhone. Today that number is
exactly zero.

~~~
krzat
Thankfully we have traditional computers to tinker with, but I feel bad for
people who don't have one and use iPad instead.

~~~
sjwright
That's the myopia of a technologist.

I know many older people for whom an iPad is the first "computer" they've ever
owned, and for them it's a lifeline to grandchildren and community. These are
people who were never going to learn MacOS or Windows.

These people don't need your pity.

------
lifthrasiir
The app would have been trivially considered a malware if the same thing
happened in Windows, where the app was traditionally allowed to access
anything within the basic privilieges---just about anything. One can (rightly)
blame Windows (and also Android) for allowing that, but more importantly, the
Facebook app would have to be treated in the same way after all.

~~~
Larrikin
I believe this is something that regulation should address. Scooping up all
this data should be a massive liability for companies. Depending on the
severity of a hack or misuse of the data it should effectively bankrupt or
significantly destroy profits of any company. But the OS should not completely
prevent it.

There are a number of programs for power users on macOS that have stopped
selling through the App Store or warn against limited functionality for apps
bought through the store. There are also a lot of extremely useful apps for
Android that work most effectively when your phone is rooted. Google's Safety
Net has effectively made rooting a liability for all power users. When the OS
provider is limiting what a user can do the device quickly devolves into an
entertainment consumption device.

Bad actors should be treated as viruses and malware the same as they were
before.

~~~
gruez
>Depending on the severity of a hack or misuse of the data it should
effectively bankrupt or significantly destroy profits of any company.

counterpoint: equifax

~~~
Larrikin
Equifax is exactly the kind of company that should not exist after a breach of
that kind

~~~
guitarbill
Equifax is exactly the kind of company that should have never existed, and
should have never been allowed to exist.

The same with the Facebook app (+ Android permissions, because even Facebook
can't do full evil without Google apparently). And it's going to be the same
result. Nothing is going to change, neither company will suffer much, nobody
is going to jail. So his counterpoint is valid.

------
Finnucane
Now my paranoia about never using Facebook from my phone is retroactively
justified.

~~~
megy
If you use it from a browser, rather than the app, you are safe.

------
oldgun
> More recent versions of Android should prevent this kind of data collection.

So the title made me think all Android are exposed to Facebook phone data
scraping.

But considering how slow it is for Android devices to upgrade to the latest,
it's probably still a sad state.

~~~
softawre
Get a pixel. I love mine, as an iPhone users for the past 6 years.

------
sohkamyung
This updated piece by Android Police [1] provides some more pieces of
information (see the bottom of the article for the updates):

\- The company [Facebook] reiterated that it wasn't saving the actual content
of calls or SMS/MMS messages—something neither Ars Technica nor we claimed,
but presumably other outlets did.

\- It's actually a part of Facebook Lite and Messenger (and users can opt out
[...] respectively). Facebook considers the data collection opt-in since the
apps in question directly ask if you'd like to upload that information during
setup.

[1] [https://www.androidpolice.com/2018/03/25/facebook-
gathering-...](https://www.androidpolice.com/2018/03/25/facebook-gathering-
call-sms-mms-metadata-years-via-app/)

------
nimbius
LineageOS prevents this type of access. If an application needs access to your
phone or your contacts, you need to explicitly permit it to do so during
execution. if you want to do this more than once, you need to set it up in the
security options for the application in the settings menu.

~~~
jaimex2
LineageOS goes a step further actually and feeds it junk data.

------
x0054
Are they seriously smart enough to collect this data but stupid enough to dump
it in an archive copy?

~~~
justincormack
The dump was originally to comply with EU law. If they miss out data they
would be legally liable and would be in a very difficult position in Europe.

------
JustSomeNobody
While this may be true, Rene Ritchie certainly has his own agenda here.

------
htk_
I was a Facebook user before I have my first Android phone, it was on 4.0.3
ICS, then I'm on 4.3, 4.4, 5.0, 6.0, 7.1...etc, and before I delete my
Facebook account, I see no call logs in the backup data archive downloaded
from Facebook, guess what, there's at some point, some users just simply say
yes to let Facebook 'manage' your SMS, or calls, if an Android user's call log
got scrapped, it's partially his/her own fault.

------
txsh
As an iPhone user I’d like to think iOS does not allow this. However, I
understand there’s a private API that allows larger companies access to
functions that are not available to regular developers. It allows them access
to the microphone without the red bar showing even when there’s not a call.
Like others have, I’ve received ads for products spoken about near my phone
but never typed into a device I own or on my router.

~~~
askvictor
With iOS we have to trust/hope that Apple is doing the right thing. With
Android we can audit the code. Yes, the early permissions model left a lot to
be desired, and was subsequently revised. But we could always look at the OS
source to see where things might be leaking. Unless, of course, these things
are happening in the Google Framework level, at which point, we have to
trust/hope that Google is doing the right thing.

~~~
amluto
You can audit Android and see that it leaks like a sieve. Ever seen “read
phone state and identity”?

~~~
askvictor
I'll take your word for it, but my point is that you _can_ audit it. You can't
audit iOS.

~~~
ayrx
You can audit iOS. Security researchers do it all day long.

~~~
askvictor
audit the code?

