I know this is commonplace on desktops, but it really freaks me out on my phone. Especially with Facebook's track record of, say, going through my contacts and adding the facebook "email" (which nobody in their right mind would use over a real email system), consistently (but technically legally) violating my privacy, and enabling opt-out "features" that are usually unasked for and unwanted.
In short, Facebook is the last app I would want auto-updating.
EDIT: I realize you can refuse the update, but what's the point? It doesn't look like you can see what has changed.
Yes, that's the default setting. So your options are to change that setting and update, get constantly buzzed with notifications to update, or uninstall. I uninstalled.
Sadly, this is sucky on both ends of the equation.
When I interned at Facebook two years ago, it was a PITA to change the API to work around bugs that were fixed in old versions of FB4A because people wouldn't upgrade -- whereas the vast majority of iOS users upgraded the Facebook app within days of a new release showing up in the App Store. The addition of non-Play devices makes this even worse.
Granted, I had my own reasons for not wanting to upgrade, so I can sympathize with users, too. (Facebook was pre-installed on my device, and upgrading caused it to take up space in the 180 MB volatile/userdata partition on my Nexus One. I eventually solved the issue by buying a Galaxy Nexus, but I recognize not everyone can buy new phones that frequently.)
I still think that is a terrible default for the truly paranoid.
Google could, at any time, initiate a cloud-to-device intent to install arbitrary software that you "wanted" from Google Play. They don't unless they ask you to, but the capability is there.
The bigger thorn is if you're on a device where the manufacturer or carrier has hidden or removed the option to install arbitrary APKs.
This might be unexpected, but I can't see how it would violate any ToS. Google explicitly allows alternative app stores and side-loading apps. Even apps sold through the play store often have in-app purchases which significantly change the app functionality.
I think changing permissions after being installed is pretty odd. Other than that, this has been done before. The Battle for Wesnoth app is just a wrapper that downloads the real game after you install it.
Presumably this downloads new executable code (or bytecode) rather than data. I could put up a shell app which does the same thing to download exploits after a while. This is why Apple has the "don't download code" rule (and why they had a "no interpreters" rule).
So maybe it's OK in the ToS right now, but I can understand why it shouldn't be OK, especially on a platform with so many local exploits (like Samsung's world-writable /dev/mem equivalent, etc).
EDIT: Actually they're just grabbing a new APK, which is weirder in a way since they are literally duplicating the Play Store mechanism but avoiding the good things that the Play Store tries to do for customers (static analysis for security risks, etc). Why wouldn't they just notify the user that a new version is available from Play? Bizarre choice.
I like the idea, but I wish that they would do something about the Android app. It's supposed to be on par with the iPhone app, but I have found it to be much slower, and a lot of the internal links and notifications seem to take me to non-existent pages. On top of that, it seems like no matter what my actual network state, I occasionally see "Network error" at the top of the page before it actually does anything.
I don't think it's important that just any app is "skirting the store" (plenty do that already, it's not an issue). What is interesting is that Facebook is doing it.
Auto Updates are part of the Android store already, so this doesn't even offer new functionality. However, it does offer Facebook a couple interesting options.
1) They could force users to update, possibly to versions with more permissions. The keyword here is force, which the Play store won't do.
2) They could update devices that don't use the Play or Amazon store, if the application was somehow on the phone (from the carrier or manufacturer, perhaps). I think this is most likely.
3) They could remove most permissions from the Facebook app on the store, only to have the app request them after requiring an update.
Plenty of apps force updates through the play store by disabling functionality remotely in the currently installed application. I've had games and other applications that have no legitimate need for remote server interactions become disabled because a newer version is available, where any attempt to launch the application redirects to the play store page instead. This isn't good, and most of those applications don't last on my devices, but that isn't a completely unheard of practice.
This is bad. Facebook doing this can potentially lead other devs following, and if this happens we'll end up in a ecosystem mess where every app does whatever it well pleases.
19 comments
[ 3.2 ms ] story [ 54.0 ms ] threadIn short, Facebook is the last app I would want auto-updating.
EDIT: I realize you can refuse the update, but what's the point? It doesn't look like you can see what has changed.
If you own a cell phone, you're already screwed from a privacy standpoint with carriers tracking which tower you're connected to.
tl;dr: You should be freaked out, but not by this.
http://stackoverflow.com/questions/4967669/android-install-a...
When I interned at Facebook two years ago, it was a PITA to change the API to work around bugs that were fixed in old versions of FB4A because people wouldn't upgrade -- whereas the vast majority of iOS users upgraded the Facebook app within days of a new release showing up in the App Store. The addition of non-Play devices makes this even worse.
Granted, I had my own reasons for not wanting to upgrade, so I can sympathize with users, too. (Facebook was pre-installed on my device, and upgrading caused it to take up space in the 180 MB volatile/userdata partition on my Nexus One. I eventually solved the issue by buying a Galaxy Nexus, but I recognize not everyone can buy new phones that frequently.)
Google could, at any time, initiate a cloud-to-device intent to install arbitrary software that you "wanted" from Google Play. They don't unless they ask you to, but the capability is there.
The bigger thorn is if you're on a device where the manufacturer or carrier has hidden or removed the option to install arbitrary APKs.
P.S. I am not an Android user, so I might be unaware of obvious benefits/harms.
I think changing permissions after being installed is pretty odd. Other than that, this has been done before. The Battle for Wesnoth app is just a wrapper that downloads the real game after you install it.
So maybe it's OK in the ToS right now, but I can understand why it shouldn't be OK, especially on a platform with so many local exploits (like Samsung's world-writable /dev/mem equivalent, etc).
EDIT: Actually they're just grabbing a new APK, which is weirder in a way since they are literally duplicating the Play Store mechanism but avoiding the good things that the Play Store tries to do for customers (static analysis for security risks, etc). Why wouldn't they just notify the user that a new version is available from Play? Bizarre choice.
But you have to allow untrusted sources installation in the security menu, and still have the installation screen (left screenshot in the article).
I don't see a problem, some games are downloading and updating their files too. If you don't trust the app, use FB website.
Auto Updates are part of the Android store already, so this doesn't even offer new functionality. However, it does offer Facebook a couple interesting options.
1) They could force users to update, possibly to versions with more permissions. The keyword here is force, which the Play store won't do.
2) They could update devices that don't use the Play or Amazon store, if the application was somehow on the phone (from the carrier or manufacturer, perhaps). I think this is most likely.
3) They could remove most permissions from the Facebook app on the store, only to have the app request them after requiring an update.