Hacker News new | comments | show | ask | jobs | submit login
Facebook Android app sends phone number to Facebook servers without consent (symantec.com)
214 points by daspianist 1429 days ago | hide | past | web | 86 comments | favorite



Android's take-it-or-leaveit install-time permission model sucks. I just counted 32 permissions for the Facebook app. When the user goes to install the app they are supposed to review that long list and decide if they are going to take it or leave it. The reality is most users have no idea what they're being asked and just hit Accept. Which means for most practical purposes there is no permission security.

Much better is the iOS model where there are a select few extra-sensitive permissions that cause a popup when the app requests it and lets the user decide if they're going to grant it at runtime, not install time. That lets the user know what triggered the request and decide if it's legitimate. It also allows them to continue using an app even if they don't want to share their location or whatever.


> When the user goes to install the app they are supposed to review that long list

No, the user is supposed to see the first 2, ignore the hidden "show more" button, and then just hit Accept.

This is one of Android's more obnoxious user-security flaws.


90% of users (including me) don't bother reading the even first two.


It's wrong to expect user to read them. No wonder Android is a malware haven


I agree. I wish Android had denial or "spoofing" of permissions in stock form.

I do appreciate that Android points out even smaller details, however: "access to your contacts" is one that works without prompting on iOS, if I remember correctly.

It'd be nice if users could choose both the level of detail and choose piecemeal.


  > "access to your contacts" is one that works without
  > prompting on iOS, if I remember correctly.
It used to work, but was fixed in iOS6.


Obviously, we'll never see it in stock/vanilla, but there is something to be said for the fact that you do spoofing at all via pdroid, which takes less than half an hour to set up if you're of the hacker persuasion. I dreamt of such a security setup for two decades before android ever came to be.


iOS 6 I believe made requesting contacts require permission.


It would be great if Android collected all the permissions that are commonly disabled for an app and then presented the permissions on an app-by-app basis sorted from most disabled to least disabled.

This way users of any app in the Android ecosystem can rely on the wisdom of the crowds to quickly see which permissions people who know better commonly disable.

Should every user look over the entire list? Yes, in an ideal world. But since that isn't realistic, the best we can do is present them with those they will mostly likely want to disable right at the top.


Google _could_ fix this by requiring SecurityException to be handled.

1. Enable the user to select "a la carte" permissions on a per-app basis.

2. The user selectively turn off permissions, e.g. I WANT my flashlight app to throw an unhandled exception when it tries to get my location.

3. Require exception handling for missing permissions in new versions.

The burden for developers is low, especially in the cases of gratuitous permissions.

There are some cases, like address book apps that require access to the Contacts provider where a permission could make an app's functionality a nullity, but I think the everyday user is OK with seeing a crash dialog if a crappy app with obnoxious permissions craps out.

In the case of a high-value app like Facebook, Facebook would be motivated to explain permissions and provide exception handling that preserves as much functionality as possible.

If app compatibility becomes an issue, "nerfed" results instead of thrown exceptions could be used to trick apps into accepting fake data.

By combining options, notifications to the user, the use of SecurityException, and changes to exception handling requirements, Google could readily retrofit fine-grained user-controlled permissions to Android.


I'm quite sick of cavalier permissions. I started getting spam calls almost immediately after moving to an Android phone on the same account.


What's more, there is no legitimate way to get phone number on iOS.


Perfect timing. saw this article 2 days ago:

"Android malware up 614%. Android Home to 92% of Mobile Market's Malware"

http://www.theregister.co.uk/2013/06/26/android_malware_bloo...


"Android running on 92% of phones"



We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers.

What utter garbage. They're really going to claim it was an accident?


Facebook never said it was an accident.


Indeed.

Facebook are a rotten company like this. They'll throw something out, then yank it if they get caught. It makes you wonder what we haven't noticed yet.


yep, the whole "move fast and break things" mantra doesnt really suit privacy concerns.


"Move fast and don't get caught."


This is pretty standard in Android apps for analytics tracking to use the phone number, IMEI or other values. A while back, a few production phones shipped where Settings.Secure.ANDROID_ID returned invalid values (null, the same value for all devices of that model, etc). This is the reason that most apps you come across ask for the READ_PHONE_STATE permission.


Thanks for mentioning this. It's always annoying when stuff like this is taken out of context and reinterpreted by people who don't have intimate knowledge about the topic, resulting in the kind of useless knee-jerk reactions seen in this comment thread.

If you told the average web-using person that whenever they visit google.com Google gets to know which internet provider you use and from which country, possibly even city you come from and which language you speak, they'd probably freak out thinking it was some evil Google scheme to mine data when in fact, all that is simply a byproduct of any reasonable logging or analytics solution that is not special to Google at all.


> ... they'd probably freak out thinking it was some evil Google scheme to mine data when in fact, all that is simply a byproduct of any reasonable logging or analytics solution that is not special to Google at all.

If that's true -- that an objective reasonable observer would think those things -- perhaps that's indicative of analytics being of questionable ethical standing.

After all, they enable the massive centralization of extremely far reaching user data, voluntarily submitted by both applications and websites to centralized data brokers -- such as Google -- who are not only positioned to build enormous commercial profiles of users, but also to (be compelled to) give or sell those profiles to government(s).


Well what it also means is that its not just Facebook who does it. Many other apps you have installed are probably doing this as well without you knowing about it.


Everyone is focusing on FB but the bigger problem is that any app can probably take your phone number without permission. Paging Al Franken.


Actually, when you install an application you accept the READ_PHONE_STATE permission. So you're explicitly giving them permission to take your phone number. This doesn't really apply to pre-installed applications, but there's really no argument that they're doing it without your consent if you download the application from the Play Store.


Actually, most of the time it's explained as being needed to determine if the phone is in a call. Which sounds perfectly fine - I'd like music to stop or games to pause on incoming calls.

The fact that "phone state" is mixed up with Phone Unique ID is terrible.


Well, not only if your phone is in a call, but also your phone number, device id and the number of the person you're connected to.

Read phone status and identity: Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

https://play.google.com/store/apps/details?id=com.facebook.k...

And don't worry if your friend has the Facebook app and calls you if you don't have a profile. They can just search through your friend's contacts to associate your number with a shadow profile of you anyway.


There is an argument, because normal people don't know what the hell a READ_PHONE_STATE is.


The description is PHONE CALLS READ PHONE STATUS AND IDENTITY Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.


I am sure that most users will not even read/understand that description.

If the user puts some effort into parsing it, they will understand it and what it means for their privacy. But most people will not put that much effort into installing an app.

Despite being perfectly clear to you and I, it is wrong to ask for these permissions at install time.

Imagine if every time you visited a web site you were given a list of 5 - 10 permissions requested by the website before you could visit.


Sorry, but if people can't read and understand that description, I am not so sure they should be using a smartphone.


I'm pretty sure it doesn't literally show them "READ_PHONE_STATE" and other permissions in enum form. There' s a heading and a description of what each permission entails.


That doesn't give you the phone number though, nor does it excuse them using the phone number (as I'm inferring from the wording in the article). TelephonyManager.getDeviceId() returns the IMEI/MEID/ESN, not the phone number. When most developers require READ_PHONE_STATE for a unique id, this is what they use.


TelephonyManager.getDeviceId() has it's own set of issues. See: http://android-developers.blogspot.com/2011/03/identifying-a...


You know what the super not cool part is? Tons of Android phones come pre-packaged with a Facebook app that you can't delete unless you root your phone.


Do carriers remove the "Disable" feature in Android 4+ in "Manage Apps?"


Several carriers still ship Android 2, specially for cheaper phones (or stupid phones, like Xperia Play that only supports Android 2...)

Oh, and my Xperia Play came with Facebook for Xperia that integrated a lot with it and I almost bricked the phone trying to remove it, needed to do some warranty-breaking stuff to re-install a firmware from scratch.


on my phone I can disable it


Don't you agree when buying the phone? Just curious


I supposed I could have googled it to find out, but I've certainly never had a carrier tell me in advance what apps would be on my phone. Perhaps it's buried in the fine print that I agreed to without reading, but honestly I doubt it.


Every Smartphone comes with certain pre-installed apps that you might not necessarily desire. But facebook certainly never was one of them. At least none of the Samsung series comes with it.


I just purchased a Motorola Defy XT from Republic Wireless and it came with the Facebook app pre-installed. I immediately checked for a system update (which there was one waiting), installed it and the FB app went away. Usually it doesn't work out that nicely though. My last Android was the HTC EVO and you couldn't get rid of FB unless you rooted it your phone.


The Google Nexus One had Facebook force-installed; (I think) it came with one of the OS upgrades, which is even worse than pre-installed, because I really had no choice.


It certainly was one of them on some phones. I have had a "Facebook for LG" in the past that wasn't removable via the factory phone image.


Nope. The Samsung SGH-T959V (T-Mobile Galaxy G 4G) came with it preinstalled. I had to root the device to get rid of it (among other things).


"They "trust me". Dumb fucks."

-Zuck


In case anyone doubts the reality of this quote:

http://gawker.com/5636765/facebook-ceo-admits-to-calling-use...


It's wildly taken out of context.

He said it when he was 19 (!!) in regards to a web form he made where people submitted their emails, phone numbers, and social security numbers with nothing else besides that form. The users were indeed stupid as shit in that situation.

I'd also like to remind you that he's 29 now and running one of the most successful companies in the world. If you think he hasn't learned something in the span of 10 years, you're delusional and your comments as well as that article is sensationalist.


> If you think he hasn't learned something in the span of 10 years

He's learned to keep his little narcissistic mouth shut.


Nice try, Zuckerberg.


This isn't Reddit. If you can't have intelligent, thoughtful discussion. Go away and never comment.

You added literally nothing to this conversation.


That's annoying. But an app that's more intrusive in my mind is the Flickr app which sends your Geo location back to Flickr every single damn time you exit any camera on your Android phone. Even if you haven't launched Flickr in weeks/months. It's done this for as long as I've been monitoring the apps on my phone (a good year now).

I started using LBE to selectively block security requests by apps last Summer after being required to install an e-mail app on my personal phone for work that harvests your contact lists and call history. I soon discovered lots of mischief going on with my phone from all kinds of apps and it was rather infuriating.


The SkyDrive app on Windows Phone does it too, but because I use that app I just turn the location service off until I need maps. PayPal, for instance, wants access to contacts (why?!?) so I stick with the web site. Each platform has issues like this. We're so used to just feeding the beast that app developers are ok with unreasonable requirements.


what if you don't have your gps on?


Location services can always use data or wifi antennas. I believe most Android phones have an OS-level option to turn off app access to location from these sources (otherwise airplane mode would be the only way to do it, I guess).


Surveillance isn't cool. You know what's cool? Privacy.


haha, best comment


As much as I wanted to install their app, I never did because I didn't trust them. I clicked to the requested permissions screen a few times. But, I just couldn't get myself to go any further. Now, I feel vindicated for my paranoia. I'm sure they're doing many more nefarious things.


Meh. It is just your phone number. What is the big deal?


Meh. It is just your ______. What is the big deal?

^This is a slippery slope!


It's more of Android's fault letting this happen than Facebook's.


Facebook grabs or publishes data without users consent. Does that really surprise anyone anymore?


You don't need Facebook. Kill your profile.


in case you didn't read the article

"The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."

so an accidental launch is all you need.


You do still need to install and agree to the permissions though. I wonder if this is in the list.


facebook comes pre-installed on a lot of phones. can't even remove it without rooting the phone.


It appears that Facebook may have recently leaked information related to their so-called dark profiles, too; from folks without FB accounts.

http://threatpost.com/facebook-underplays-data-exposure-from...


Its interesting that many of my post-college friends are finding content on Facebook increasingly less relatable, and therefore using it less. I think part of Facebook's appeal to those still in school is that it acts to reinforce the social bonds that are formed through physical encounters. Once those physical encounters die out, Facebook's use is also diminished.


That's not so bad compared to the other permissions on there. With Facebook, I'd guess (maybe incorrectly) you're already listing your phone number on there and they'll eventually get it anyway. I'd like to know the reason behind some other things on that permissions list...

https://play.google.com/store/apps/details?id=com.facebook.k...

* Directly call phone numbers: Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Note that this doesn't allow the app to call emergency numbers. Malicious apps may cost you money by making calls without your confirmation.

* Read phone status and identity: Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

* Write call log: Allows the app to modify your device's call log, including data about incoming and outgoing calls. Malicious apps may use this to erase or modify your call log.

* Read call log: Allows the app to read your device's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.

Account management I can understand. Location makes sense for checking-in and what not. Reading/modifying contacts also makes sense if you'd like it to manage your contacts automatically.

The call logs are the ones that really confuse me. The only thing I can think of that would make sense is charging for Facebook Credits via your carrier and trying not to confuse the user into thinking they're getting charged twice (once via the Facebook App and once more via the phone call).


Why is there an API for phone number that does not require user consent? Facebook and Google are both at fault here.


In order to install the app the user has to approve a long list of required permissions including "read phone status and identity".


Between a UI that looks exactly like the mobile page loaded in Chrome/Stock Browser, draining battery and abusing location/privacy why would anyone want to use Facebook on their Android phone? Delete it, disable it or just don't sign in as applicable.


That must make it easier for the NSA to link your phone number to your Facebook account.


Bingo!


I thought this was a known fact. Isn't there numerous articles were people were surprised how Facebook knew and was recommending their dentist/plumber/clients to be added? Towards the end it turned out to be from the contact list uploaded from the user's phone.

I am not going to say to avoid FB, but if you really want it on the phone, please use a non-official version for privacy sake. Atleast on android, they are less sucky than the official version. One of those times I am happy a company doesn't make an official version for Windows Phone and the MS version doesn't suck.


Not only that, it seems they will match your phone number if any of your friends upload their contact list to Facebook.


I assume this is the same app that hacks Dalvik to even work? (https://www.facebook.com/notes/facebook-engineering/under-th...)


It's a shame they had to do that. I find that Android is painful to develop for.

We had issues where certain Android versions were unable to install our app. The workaround involved renaming some of our data files to use a .jpg extension so that they would be treated as image assets and not loaded entirely into memory on install, causing the device to run out of RAM. (I forget the exact details, as my coworker discovered the issue and workaround at the time.)


Facebook is the best, why bother ask for your phone number if you already told them all your life.


Don't worry guys, the data is only for prism so its in good hands </sarcasm>.


If you are afraid of your privacy being violated, why are you using Facebook in the first place?


I'm surprised we're surprised really, to me this is what I'd expect it to do.


This is something that has been going on for a couple of years you know


Don't forget this app comes pre-installed on several phones too..


in the newest cyanogen mod nightlys there is the new privacy guard. it basically shows the app a empty contacts lists and other stuff




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: