At this point I'm running at least 2 versions behind on the facebook app. I didn't install it last time it asked me to allow it to "Send emails to guests [of events] without host's knowledge" among other things. I see now that they also want to be able to connect and disconnect from WiFi.
The Facebook app is probably the fastest way to find a list of all permissions in the Android system. "Draw over other apps", "Read battery statistics". I don't know what part of facebook requires either of those options, and the mobile version of their website offers me the minimal amount of functionality I need.
The act of writing this comment has made me uninstall the damned thing. Just reclaimed 17.61MB, and probably a fair amount of space in my mind since I'll check Facebook less often.
I'm sure, as the author of the linked article asserts, most people blindly accept the permissioning changes, but I hope this permission-creep starts to cost them installs.
I did the same. I am several versions behind due to the requests for increased permissions, but this gave me the impetus to finally purge a bunch of applications with updates wanting additional, seemingly unnecessary, permissions. Though it was slow, I liked Bandsintown until a recent update wanted to read my contacts.
Facebook is now wrapped by Tinfoil-Facebook and Twitter is now relegated to the browser.
"view Wi-Fi connections". Hmm, is there a reason it also needs the geolocation permission and that? Are they gathering their own geolocation data bootstrapped from google's somehow?
Which caused me to freak out when it first happened. I was furious. I had to stop everything I was doing immediately in order to figure out how to disable it.
I can't possibly state emphatically enough how user-hostile that feature is. It is so disruptive to my thought process...it's nearly as bad as that awful focus-stealing thing that Windows does.
I can understand it might have been unnerving but on the other hand the feature was documented in the change log and in the list of new permissions the app required (in the version chat heads were introduced). Personally I find chat heads convenient and useful
It makes it easier for me to carry on conversations while also doing other things on my phone. If I'm reading something, and someone responds to a message, I can quickly pop open the chat window and respond, then close it and go back to what I was doing. I find that more convenient than going back to the home screen and launching an app from there or the (rather slow) app switching process.
Yes, sometimes it does get in the way of what I'm doing, and in those cases I just swipe the chat head down to the bottom of the screen and it goes away. And considering turning it off is one of the options in the first page of the settings, I'm not really understanding why it would make you furious or think this is user-hostile. Overall it's a pretty unimportant change that is easy to disable if you don't like it.
Yeah this is the update I stopped at too.. Now I might just delete the Facebook app because I hate constantly seeing that there is an update waiting for me.
Same here - about running 2 versions behind, at least. I haven't deleted the app yet, but I refuse to give it permission to send or read texts without my knowledge or permission. I don't care what their explanation is for wanting those permissions, but they're not necessary and not something I'm willing to trust Facebook with.
use cyanogenmod + privacy mode, you can disable what the app can do. for example, you can disable that. app still works, it just gets an empty sms list.
Well, they could read all that other stuff by default with no warning previously until all sorts of apps abused it. Then Apple had to add in the prompts for things like reading Contacts. I'd imagine the Android devs are working on similar since the list of permissions model is breaking down.
It's not without its own faults (and it used to have some huge gaps, such as address book access), but the iOS privacy model is simply a more user-centered paradigm than on Android.
Android apps ask you if you want to update to the new version or stick with the old one indefinitely; privacy settings are non-negotiable. iOS apps ask you as they go: If iOS had an SMS API, Facebook wouldn't need to ask you until you enabled two-factor authentication (assuming that's all they use it for). And you could turn it back off later if you weren't comfortable leaving it on.
Funny you say that, because iOS already has all these little options. What's better, apps still get installed and users don't have to make this decision upfront. When permission is required for the first time, dialog box pops up, and then you can refuse each permission individually - i.e. you can give Facebook access to location so you can check in, but block access to contacts.
The iphone has had fine-grained privacy before App Ops was released and then removed, and I also think before CyanogenMod had Privacy Guard. One of the few good things about the platform.
Unfortunately, Cyanogenmod's Privacy Guard does not block everything (e.g. your IMEI is still readable if permission READ_PHONE_STATE is granted). XPrivacy can help in this case, but its UI is quite convoluted.
This feature is nowadays called Privacy Guard and it works so well that I have it on by default for all apps. With the exception of apps that actually need to read my contacts (say WhatsApp), I have not had to disable it for any applications and haven't seen any complications. For example Facebook and Twitter apps, which require a whole rainbow of permissions, function just the way they used to. I've never made a lot of use of their location dependent features though and would expect those to suffer from being deprived of GPS data.
I haven't got round to rooting my droid yet, but my plan is to always tell facebook/twitter/google+ that my current position is directly under the moon/iss/some other satilite. Or maybe I'll trace out "Hello FB" on the Atlantic ocean.
This sounds excellent, I can't believe I never tried it yet! Of course, this should be part of core Android, but I guess there is no hope for that (given that Google makes its dough on advertising).
It used to be, called App Ops. It was in for (one?) point release before google promptly withdrew it again after realising that giving people tools to protect their privacy goes against their mission.
According to Google [1], it was never meant to ship at that point as it was not ready for general public. There was some compatibility problems with many applications, so that is somewhat believable.
Of course, they have to spin it some way, because they're years past the point they could be honest and believed. I think it's more likely one google engineer wanted to resist the constant invasion of privacy and likely ended up paying with his job.
App Ops throws SecurityExceptions when you try to access a permission, it doesn't return empty data. You can imagine that most apps didn't build exception handling into the feature access that is required in the manifest at install time. That is the primary reason why it is not a fully public feature for users.
This one is pretty simple, actually. They do obscure AdBlock from the store — if listed in order of popularity instead of being somewhat curated, it’d be at the top of the page. But to your point, imagine they did remove AdBlock from the store. Nerds would stop using Chrome. (Assuming it was not fairly straightforward to install from another source, as is increasingly true.) And we nerds tell our friends and family what browser they should be using. It’d hurt the overall popularity of the browser.
Also, it’s better for Chrome’s security reputation to allow AdBlock from within their store than to allow it from a third-party site. You don’t want to train users that it’s OK to install extensions with broad permissions from anywhere but the Chrome store!
It may become the case in the future that they re-evaluate these priorities, of course.
I uninstalled the app and put a bookmark to the mobile site on my homescreen instead (like the old days before app stores). It's slightly slower, but on a Nexus 4, it's still fast enough I don't mind. They've improved the mobile interface since the early iPhone days.
It has menu options to go directly to your news feed, the top of the page, notifications and preferences, so it makes browsing the mobile page easier. It also saves the facebook cookies so you don't have to type your user and password every time you want log in.
I remember that a couple of years ago the mobile website was actually noticeably faster than the app, at least on iOS, and gave you access to more features. Back then I kept the app around just to upload photos, but used the mobile site for everything else.
Correcting factual errors is constructive. The post implied that all you need is a Samsung Phone, then you have "Permissions Manager". No mention of an app. But then, when you look at the reviews for the app that is linked above, it doesn't give one a lot of confidence in managing permissions on Android.
Even if the app would tap into their conversations, bank account and demanded your social security number, people would still use it. "Normal" people don't understand the concept of privacy when it comes to technology like this.
Shame on Google for not allowing users to take better control over their apps and privacy. They almost did it in Android 4.3, and then took it back in 4.4, when they realized people might actually use it.
I love this app; I've been using it for years now. Never having to login to FB in the actual browser is a real boon; it's great at sandboxing their cookies.
I am not a Facebook app user since closed my account years ago so maybe not the best person to comment but... I have never understood why one needs an app to view a website? Facebook has a mobile site that works yes?
The app can push notifications to your phone, which is nice for regular users, and it can merge with contacts to fill in blank pictures and provide more information. It's not essential, but some of the integration is nice.
I use FB message to communicate with friends in other countries. I know there are other apps out there for it, but when we all have Facebook already, its easier that way.
Is it possible for another app to interface with facebooks chat or do they prevent this? I remember there used to be chat apps for pc that could do MSN, AIM, Yahoo and a bunch of others.
It helps expand their social-graph beyond what you've shared on their platform. It also gives them access to geolocation information for users that haven't shared it previously, as photos shared over text messages may contain geo-location coordinate information. It likely also gives them context about where people are, what they're doing, who they're talking to the most, and what they're communicating about so they can deliver more context-aware advertising.
But if you ask them - they'll say it helps them deliver a better experience for their users and helps connect people, and that's what people really want ... to be more-connected.
I switched to using the mobile web version of FB on my phone because of this (and made a shortcut to it on the homescreen)... though really it's a losing battle, the real solution is to dump FB altogether.
I will say that the app provides very little that the mobile web version doesn't give you. I don't even notice the difference.
"Read your text messages (SMS or MMS) If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message."
That's a pretty crap feature to use to justify this.
Yep, both Twitter and Facebook's apps seemed to start asking for this permission around the same time - they seem to be oblivious to how scary "Read your text messages" sounds to anyone vaguely concerned about privacy. I'm holding off on updating for now.
... but nonetheless it's an important example of the erosion of data privacy. Just as users are getting accustomed to clicking past EULA's so to they click past these permission request screens, and if they don't then the app keeps nagging them ... the user just wants to use the app, so permission granted.
The best way to prevent this in this app, and many other apps is to use "App Ops" in 4.4 or use CyanogenMod and enable privacy guard and then you can long press on the app and prevent the app from reading SMS and many other things while you are at it.
I wish Google would recognize that it would be beneficial to protect users from this kind of thing by providing a decent management UI that didn't require using CM. Of course, that goes against some of Google's own interests...
App Ops was not an ideal solution anyway. A specific permission couldn't be disabled until after the app used the permission at least once. So the Facebook app could read your SMS when launched, and only then you would be able to disable the permission.
This has been a thing for about a month and a bit now. A Facebook engineer posted the following on Reddit[0], explaining the rationale behind the SMS permission:
> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).
Yes of course. But this allows them to automate that process.
Typical tradeoff: It's a nice feature, but adding it requires permissions that are off-putting to some users. I'm not sure there is a good solution here.
The problem with this is that although it's likely true, there is no guarantee that what is done with that permission will not expand in the future.
e.g. Given the explanation that it's only for 2-factor authentication, I accept and install. When the next version is released (which does more with that permission), I see no new permissions required and install.
ericcumbee's suggestion of sending a URI makes much more sense to me. A per-request permissions model would likely need to include a "yes to all" checkbox, which would be checked in short order by the vast majority of users.
I feel like some sort of manual component to two-factor authentication is the whole point (a clickable link, copy+paste, or remembering a 4 digit number).
Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.
It would be much more secure to just force a password login.
If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor.
For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.
We are achieving the same security guarantee as before, just without the user pain. All two factor provides in this case is proof that you have the phone associated with your account. Why does it matter if the app does the legwork for you?
We are achieving the same security guarantee as before, just without the user pain.
I'd argue that a corporation other than the phone company being able to read all your text messages is significant pain.
Given that FB seems to want to take over all communication between users (contact list/blog/email/photos/messaging) FB being able to track and access anything you do is the inevitable endpoint of such aspirations, but many people are not comfortable with that, and the farther FB go down that road, the more people they'll alienate.
>I feel like some sort of manual component to two-factor authentication is the whole point
It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)
>What exactly are we achieving here in terms of security?
Verifying that the phone is still using allowed SIM card/phone number.
If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.
If your phone is stolen you can do the same thing. The app password caching doesn't matter then.
It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.
The problem with many permission systems, such as this one, is that the developer of an app can't indicate to the user /why/ it needs a certain permission. Second, that the user cannot allow/disallow the permission at the time of installation, and that the app / app developer can then indicate, like in this case, that automatic two-factor authentication won't work. Which is fine.
tl;dr: Android's permission system does not allow for transparency from the developers. It makes the app developers look like douchebags going 'I WANT TO READ ALL YOUR TEXTS', instead of a 'I'd like to make things a little easier for you by automatically intercepting two-factor authentication texts'.
It's bullshit, I'm sure they have a similar motivation for retrieving running apps. When I bought my Nexus 5 I installed a game on it and was surprised to see on the desktop Facebook constantly asking me to like it. I didn't see it before and now it was there just after I had installed it, it wasn't a coincidence. Turns out the Facebook app has the permission to retrieve running apps, and this obviously happens whether you actually open the app or not, since it's always running in the background. This is fucking bullshit and I'm tired of companies always trying to peer into our lives.
A better alternative would be to ask the user each time to check if the SMS was received, that would ensure some trust.
You can't just peek into the entirety of user's SMS and justify it's for the security of your users.
At least put an option to give users a choice and not force them to have their their SMS read in the name of innovation, or explain why you read them and that need just that one SMS.
Looks like not many people knew it. If it's available on Android, FB should ask user's permission instead of force them to accept. If it's for the sake of a feature, when user declines, only need to disable that feature.
At this point, if you care about your privacy, why would you even still have a Facebook account?
I used to think I could be 'safe', that my advanced knowledge of privacy settings and optimised usage patterns could somehow shield me from the fundamental nature of these data monger corporations. But the truth is concepts like cloud and social networking are fundamentally toxic to privacy and freedom.
I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
>At this point, if you care about your privacy, why would you even still have a Facebook account?
You could have a Facebook/Google account under a different name. I have one and its rather useful when websites have an option of logging in using facebook/google accounts.
>I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
You could have a Facebook/Google account under a different name. I have one and its rather useful when websites have an option of logging in using facebook/google accounts.
You can easily be identified by your network of friends. The name of your account doesn't matter.
I remember noticing this on a lot more than just facebook. The Android permissions model seems to now be pointless as so many apps ask for pretty much all of the permissions.
Twitter is doing the same. It requests access to contacts list, SMS, phone call, phone Identity. I noticed the same and stopped updating. Andiord should enable users to control apps.
Not just Facebook. There are many apps that are overstepping in terms of permissions. I turned off auto-update long ago and removed many offenders, but it seems every app these days is now requesting as many privileges as they can get away with. The general population of users aren't reading the list of new permissions on updates and no one is making these co's explain themselves as to why they need listed permissions. I asked an engineer behind an app I wanted to use that paired with a paid service I love why they needed access to my contacts, considering my contact list wasn't part of the core service. I told him read access to my contacts and full network access made me wary; what would keep them from reading and storing all my contacts on their server? His only response was that they promised not to do anything nefarious. I should not have to root my phone to use apps while protecting my personal data. Android User Profiles sounded very promising to keep private away from social, but my experience testing this feature out on the Nexus 7 was terrible.
Apps do not autoupdate from the Play store if there are new permissions. You have to manually update them. I am not sure if this is a recent change or not as I started using Android with the Nexus 5.
Well, admittedly my phone isn't bleeding-edge, being a nexus 4, but it runs the latest version of Android and removal of Hangouts does make Messaging the SMS app.
What do you mean by that? It asked me if I want it to handle my sms, I said no. It asked me again when I updated to 4.4, I said no again. I can (and will) keep saying no...
I would love this feature if they actually incorporated my SMS history into Hangouts, but unfortunately I can't move or sync messages across phones or view them on my computer.
I suppose they reason that it would be too confusing to the people who would then try to SMS from their computer, as iPhone+Mac users are able to do so... but isn't segmenting my Hangouts history just as confusing?
Only on the latest Android if you buy it that way on very specific phones. For everyone else (read: MOST Android users) an upgrade happened, often from Google Talk, and wound up with a new app with full SMS control without the user knowing.
... which is written by Google. The same people who wrote the stock messaging app... and phone's OS. If they want your texts, getting them through the Hangouts app is hardly necessary.
I noticed they pushed an update to the iOS app too, but those permissions weren't mentioned in the update log. Anyone know if they claim the same access in iOS? There's no granular permissions in the iOS Privacy section to control access to messages.
225 comments
[ 3.6 ms ] story [ 195 ms ] threadThe Facebook app is probably the fastest way to find a list of all permissions in the Android system. "Draw over other apps", "Read battery statistics". I don't know what part of facebook requires either of those options, and the mobile version of their website offers me the minimal amount of functionality I need.
The act of writing this comment has made me uninstall the damned thing. Just reclaimed 17.61MB, and probably a fair amount of space in my mind since I'll check Facebook less often.
I'm sure, as the author of the linked article asserts, most people blindly accept the permissioning changes, but I hope this permission-creep starts to cost them installs.
Facebook is now wrapped by Tinfoil-Facebook and Twitter is now relegated to the browser.
[1] https://www.facebook.com/help/126760650808045
I can't possibly state emphatically enough how user-hostile that feature is. It is so disruptive to my thought process...it's nearly as bad as that awful focus-stealing thing that Windows does.
Yes, sometimes it does get in the way of what I'm doing, and in those cases I just swipe the chat head down to the bottom of the screen and it goes away. And considering turning it off is one of the options in the first page of the settings, I'm not really understanding why it would make you furious or think this is user-hostile. Overall it's a pretty unimportant change that is easy to disable if you don't like it.
Is there no meaningful way to push back against Facebook for demanding this permission?
Android apps ask you if you want to update to the new version or stick with the old one indefinitely; privacy settings are non-negotiable. iOS apps ask you as they go: If iOS had an SMS API, Facebook wouldn't need to ask you until you enabled two-factor authentication (assuming that's all they use it for). And you could turn it back off later if you weren't comfortable leaving it on.
On Android it's all or nothing.
Though I don't think I'd be tracing out "Hello". Unless you speak Bronx.
[1] http://www.dailytech.com/Google+Removes+App+Ops+Privacy+Cont...
One engineer can't launch a product alone. Just isn't possible unless its under a personal name.
"and likely ended up paying with his job."
0% chance.
Also, it’s better for Chrome’s security reputation to allow AdBlock from within their store than to allow it from a third-party site. You don’t want to train users that it’s OK to install extensions with broad permissions from anywhere but the Chrome store!
It may become the case in the future that they re-evaluate these priorities, of course.
Same as Cyanogenmod without having to root your phone.
I think "not using the app" is the most meaningful way, really.
Alternatively, spoof its private data hose and flood Facebook with garbage data, but I presume that's illegal.
Less intrusive, less privacy issues.
And it probably works better than the app.
In that situation, I cannot send or receive SMS messages, but FB, etc., work just fine.
You can use my Facebook client, which definitely doesn't read your text messages, emails and calendar.
Link: https://play.google.com/store/apps/details?id=com.flipster&h...
</shameless plug>
Does this constitute a privacy policy?
On Android you can see for yourself whether an app tries to access data such as text messages, emails or calendar.
My app doesn't ask for those permissions, therefore it can't access that data.
It's kind of sad.
But if you ask them - they'll say it helps them deliver a better experience for their users and helps connect people, and that's what people really want ... to be more-connected.
I will say that the app provides very little that the mobile web version doesn't give you. I don't even notice the difference.
That's a pretty crap feature to use to justify this.
https://www.facebook.com/help/210676372433246
http://android.stackexchange.com/questions/57726/twitter-rec...
I have it enabled default for all newly installed app.
App Ops was not an ideal solution anyway. A specific permission couldn't be disabled until after the app used the permission at least once. So the Facebook app could read your SMS when launched, and only then you would be able to disable the permission.
> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).
[0] http://www.reddit.com/r/WTF/comments/1t5z45/facebook_why_the...
Typical tradeoff: It's a nice feature, but adding it requires permissions that are off-putting to some users. I'm not sure there is a good solution here.
But perhaps if it were implemented better it might make some sense.
e.g. Given the explanation that it's only for 2-factor authentication, I accept and install. When the next version is released (which does more with that permission), I see no new permissions required and install.
ericcumbee's suggestion of sending a URI makes much more sense to me. A per-request permissions model would likely need to include a "yes to all" checkbox, which would be checked in short order by the vast majority of users.
Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.
It would be much more secure to just force a password login.
For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.
I'd argue that a corporation other than the phone company being able to read all your text messages is significant pain.
Given that FB seems to want to take over all communication between users (contact list/blog/email/photos/messaging) FB being able to track and access anything you do is the inevitable endpoint of such aspirations, but many people are not comfortable with that, and the farther FB go down that road, the more people they'll alienate.
It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)
>What exactly are we achieving here in terms of security?
Verifying that the phone is still using allowed SIM card/phone number.
If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.
If your phone is stolen you can do the same thing. The app password caching doesn't matter then.
It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.
tl;dr: Android's permission system does not allow for transparency from the developers. It makes the app developers look like douchebags going 'I WANT TO READ ALL YOUR TEXTS', instead of a 'I'd like to make things a little easier for you by automatically intercepting two-factor authentication texts'.
You can't just peek into the entirety of user's SMS and justify it's for the security of your users.
At least put an option to give users a choice and not force them to have their their SMS read in the name of innovation, or explain why you read them and that need just that one SMS.
(Actually it's called AppOps and it's from Google but it's an hidden feature on stock Android)
I used to think I could be 'safe', that my advanced knowledge of privacy settings and optimised usage patterns could somehow shield me from the fundamental nature of these data monger corporations. But the truth is concepts like cloud and social networking are fundamentally toxic to privacy and freedom.
I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
You could have a Facebook/Google account under a different name. I have one and its rather useful when websites have an option of logging in using facebook/google accounts.
>I'm now pretty close to the day I delete my Google account, and that provides far more useful functionality than Facebook.
What is this "far more useful" functionality ?
You can easily be identified by your network of friends. The name of your account doesn't matter.
Twitter is doing the same. It requests access to contacts list, SMS, phone call, phone Identity. I noticed the same and stopped updating. Andiord should enable users to control apps.
What do you mean by that? It asked me if I want it to handle my sms, I said no. It asked me again when I updated to 4.4, I said no again. I can (and will) keep saying no...
I suppose they reason that it would be too confusing to the people who would then try to SMS from their computer, as iPhone+Mac users are able to do so... but isn't segmenting my Hangouts history just as confusing?
+ it's Android (Linux's one SHAME!), which is known for keeping Privacy.
PS if you're on Facebook in the first place you can't complain about this kind of stuff