

Facebook allegedly skirts Google Play store with latest update - hessenwolf
http://www.engadget.com/2013/03/15/facebook-update-skirts-play-store/

======
duaneb
I know this is commonplace on desktops, but it really freaks me out on my
phone. Especially with Facebook's track record of, say, going through my
contacts and adding the facebook "email" (which nobody in their right mind
would use over a real email system), consistently (but technically legally)
violating my privacy, and enabling opt-out "features" that are usually unasked
for and unwanted.

In short, Facebook is the last app I would want auto-updating.

EDIT: I realize you can refuse the update, but what's the point? It doesn't
look like you can see what has changed.

~~~
cbhl
Technically, Google can install arbitrary software on your phone -- Google
Play installations are served by "push", not "pull".

If you own a cell phone, you're already screwed from a privacy standpoint with
carriers tracking which tower you're connected to.

tl;dr: You should be freaked out, but not by this.

------
lost_name
I don't think it's important that just any app is "skirting the store" (plenty
do that already, it's not an issue). What is interesting is that Facebook is
doing it.

Auto Updates are part of the Android store already, so this doesn't even offer
new functionality. However, it does offer Facebook a couple interesting
options.

1) They could force users to update, possibly to versions with more
permissions. The keyword here is force, which the Play store won't do.

2) They could update devices that don't use the Play or Amazon store, if the
application was somehow on the phone (from the carrier or manufacturer,
perhaps). I think this is most likely.

3) They could remove most permissions from the Facebook app on the store, only
to have the app request them after requiring an update.

~~~
fps
Plenty of apps force updates through the play store by disabling functionality
remotely in the currently installed application. I've had games and other
applications that have no legitimate need for remote server interactions
become disabled because a newer version is available, where any attempt to
launch the application redirects to the play store page instead. This isn't
good, and most of those applications don't last on my devices, but that isn't
a completely unheard of practice.

------
jamesaguilar
I like the idea, but I wish that they would do something about the Android
app. It's supposed to be on par with the iPhone app, but I have found it to be
much slower, and a lot of the internal links and notifications seem to take me
to non-existent pages. On top of that, it seems like no matter what my actual
network state, I occasionally see "Network error" at the top of the page
before it actually does anything.

------
nekgrim
Isn't it what Amazon Market do? Downloading the apk, and notifying you that an
update is ready?

But you have to allow untrusted sources installation in the security menu, and
still have the installation screen (left screenshot in the article).

I don't see a problem, some games are downloading and updating their files
too. If you don't trust the app, use FB website.

------
emil10001
I wrote a post on why this is a really bad idea:
[http://www.recursiverobot.com/post/45447666701/facebook-
upda...](http://www.recursiverobot.com/post/45447666701/facebook-updates-as-
malware)

------
Mahn
This is bad. Facebook doing this can potentially lead other devs following,
and if this happens we'll end up in a ecosystem mess where every app does
whatever it well pleases.

------
ishansharma
Why does this make big headlines? Does it somehow violate Google's Terms and
Conditions or is it something that hasn't been done before?

P.S. I am not an Android user, so I might be unaware of obvious
benefits/harms.

~~~
sp332
This might be unexpected, but I can't see how it would violate any ToS. Google
explicitly allows alternative app stores and side-loading apps. Even apps sold
through the play store often have in-app purchases which significantly change
the app functionality.

I think changing permissions after being installed is pretty odd. Other than
that, this has been done before. The Battle for Wesnoth app is just a wrapper
that downloads the real game after you install it.

~~~
randallu
Presumably this downloads new executable code (or bytecode) rather than data.
I could put up a shell app which does the same thing to download exploits
after a while. This is why Apple has the "don't download code" rule (and why
they had a "no interpreters" rule).

So maybe it's OK in the ToS right now, but I can understand why it _shouldn't_
be OK, especially on a platform with so many local exploits (like Samsung's
world-writable /dev/mem equivalent, etc).

EDIT: Actually they're just grabbing a new APK, which is weirder in a way
since they are literally duplicating the Play Store mechanism but avoiding the
good things that the Play Store tries to do for customers (static analysis for
security risks, etc). Why wouldn't they just notify the user that a new
version is available from Play? Bizarre choice.

------
Sujan
How are they doing that technically?

~~~
cbhl
They're just distributing the APK, and having you install it manually, from
the looks of it.

~~~
sp332
But by default, doesn't Android refuse to install APKs that don't come from
the Play store?

~~~
SixteenBlue
Yes, that's the default setting. So your options are to change that setting
and update, get constantly buzzed with notifications to update, or uninstall.
I uninstalled.

~~~
cbhl
Sadly, this is sucky on both ends of the equation.

When I interned at Facebook two years ago, it was a PITA to change the API to
work around bugs that were fixed in old versions of FB4A because people
wouldn't upgrade -- whereas the vast majority of iOS users upgraded the
Facebook app within days of a new release showing up in the App Store. The
addition of non-Play devices makes this even worse.

Granted, I had my own reasons for not wanting to upgrade, so I can sympathize
with users, too. (Facebook was pre-installed on my device, and upgrading
caused it to take up space in the 180 MB volatile/userdata partition on my
Nexus One. I eventually solved the issue by buying a Galaxy Nexus, but I
recognize not everyone can buy new phones that frequently.)

