Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook's Android App Can Now Retrieve Data About What Apps You Use

Posted by samzenpus on from the show-me-the-app dept.

An anonymous reader writes "Facebook on Friday released its Android launcher called Home. The company also updated its Facebook app, adding in new permissions to allow it to collect data about the apps you are running. Facebook has set up Home to interface with the main Facebook app on Android to do all the work. In fact, the main Facebook app features all the required permissions letting the Home app meekly state: 'THIS APPLICATION REQUIRES NO SPECIAL PERMISSIONS TO RUN.' As such, it’s the Facebook app that’s doing all the information collecting. It’s unclear, however, if it will do so even if Facebook Home is not installed. Facebook may simply be declaring all the permissions the Home launcher requires, meaning the app only starts collecting data if Home asks it to."

38 of 176 comments (clear)

  1. Big Android Problem by Richy_T · · Score: 5, Insightful

    It was a mistake to allow apps to declare which access rights they want and then present users with a take-it-or-leave-it choice. While this part in itself is not a bad thing, it should be possible for users to fine-tune the settings once an app is installed and the apps then cope with that. I know there are apps out there that let you do this or similar but it should have been built in from the start. This is the activeX of the 2010s

    1. Re:Big Android Problem by AK+Marc · · Score: 4, Interesting

      I agree. I've always called for that. I've been told there are apps that do that, but it should be an OS level feature. I should be able to lie to my apps, much like I can by running a VM in a temporary partition with a single app inside it. Present a blank contact list and call history to any apps that ask. Block access to other apps (email and such). Let me choose.

      --
      Learn to love Alaska
    2. Re:Big Android Problem by Greyfox · · Score: 2

      I seem to recall reading that a newer cyanogenmod allows you to disable specific access rights on an app. Don't think it should have network access? Disable that access right. They did note that this could potentially "cause instability" with the application running. I'm pretty tempted to give it another go to get rid of the crapware my provider installed on the phone and pick up this feature.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    3. Re:Big Android Problem by __aaltlg1547 · · Score: 5, Informative

      you can use "Permissions Free" for example to modify an app's permissions. But some apps won't run if you take away any of their permissions. What's really needed is sandboxing.

    4. Re:Big Android Problem by Anonymous Coward · · Score: 5, Informative

      As an app developer I would also like "negotiable" permissions.

      I think a long list of permissions can be off-putting to users, and many permissions are needed only when the user actually tries to e.g. send an SMS from the app or take a picture. It would be better at that point to ask the user if they trust the app, much like the Android VpnService has to when it starts.

      The other error is that some permissions are far too broad. For example, lots of apps require "Read phone state and identity" which gives the ability to learn not only the phone number, but also whether you are in a call and the number of the other party. Similarly there's a permission to read the phone book. A number of these apps simply want a unique ID for licencing purposes (the IMEI can be used where available, and the phone book gives the google account) but end up with a whole lot more and look a bit suspect.

      The ID thing is discussed at http://android-developers.blogspot.co.uk/2011/03/identifying-app-installations.html, but the conclusion is poor, suggesting use of ANDROID_ID, but then still needing to jump through hoops for legacy devices. With about 40% of devices at API level 10 (http://developer.android.com/about/dashboards/index.html) this still gives developers a headache.

    5. Re:Big Android Problem by admdrew · · Score: 5, Informative

      Cyanogen definitely allowed this at one point (when looking at an installed app's settings, you could touch any of the permissions which would strike them out); it was hit or miss, with some apps crashing constantly when you disabled any of their permissions. I'm running 10.1 right now, and unfortunately this feature doesn't seem to exist anymore.

      --
      LegendMUD
    6. Re:Big Android Problem by Fuzzums · · Score: 4, Insightful

      And, obviously, some scheme in the Play Store to flag apps which get too greedy, or which require classes of permissions which few should really need.

      Obviously definitely not that. It's a developer-first market. Developers are expensive and they do all the work for Google. For free. So Google is the last one that is going to limit them.

      --
      Privacy is terrorism.
    7. Re:Big Android Problem by bill_mcgonigle · · Score: 2

      This article has the background and links.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    8. Re:Big Android Problem by Anonymous Coward · · Score: 3, Insightful

      A cool feature would be the ability to provide selected apps with spoofed data.

    9. Re:Big Android Problem by waffle+zero · · Score: 4, Interesting

      A cool feature would be the ability to provide selected apps with spoofed data.

      That feature was proposed for Cyanogen and a patch was written. It was never included out of fears that developers would block Cyanogen from installing apps on the (then named) Android Market.

    10. Re:Big Android Problem by Rich0 · · Score: 4, Interesting

      There are various patches that implement this. There were some root-requiring apps that did this as well but I don't believe they work post-v4.

      The key isn't to return errors to applications - you just need to return a successful call with no useful data. If it asks for contacts, just say that the user hasn't defined any (a situation every app has to handle anyway). If it asks for the IMEI tell the app that there is no SIM installed. If it asks for the location, tell the app that there is no GPS coverage. If it asks to phone home, tell it that the network appears to be down at the moment.

      Apps handle all of these things gracefully already. The key is to intercept the API call and direct it along one of these paths, and not to just return an error due to a lack of permissions, which the app no doubt was not designed for since it was supposed to be guaranteed those permissions.

    11. Re:Big Android Problem by paulkoan · · Score: 5, Informative

      The Pdroid http://www.xda-developers.com/android/pdroid-the-better-privacy-protection/ patches are a "better" approach. They allow apps to keep the permissions they are designed to use, but feeds them fake data when they use them.

      This protects privacy without crashing apps. However, it requires either a custom firmware with it already baked in, or running the patches against official firmware+root. This places it out of the comfort zone of many.

      --
      This signature intentionally left blank
    12. Re:Big Android Problem by alostpacket · · Score: 2

      This is something I have been hoping to get time to write for awhile, more of a Wiki with statistics of how apps creep in their permission usage. Basically a community informational tool. Unfortunately I haven't had the time, nor much server coding experience. (If anyone is interested in contributing please feel free to contact me through my website).

      And while your cynical take on the "developer first market" is not far off the mark, I think we should remember that there is a social contract between dev and user. I write a program and you pay me to buy it, or look at ads to use it. This part isn't really one sided at all. The problem is actually that permissions are granted before the user has a real chance to evaluate the application. This puts the users on the defensive.

      I think if the social contract between dev and user was something agreed to at the time a feature was used, that would be better. It would put both dev and user on equal ground. If an app dev needs that permissions (for technical or business reasons), and they are denied it, they can shut down the app gracefully. If a user wants to deny some overreaching, they can also do so. With this case, either side can walk away at any time.

      However, when the OS starts spoofing data (like the IMEI) in place of things (ala the rejected cyanogen patch), it breaks that contract both figuratively, and possibly literally. (For example if the user has agreed to TOS, and is now breaking them). I worry as a user that if we ever hope to have a system by which we retain control over permissions, we cannot break the contract, it will start a arms race (akin to ad blocking on websites).

      What we need is to give users better tools to push back against permission creep, and for devs to have opportunities to cut back to what they really need.

      --
      PocketPermissions Android Permission Guide
    13. Re:Big Android Problem by Ottibus · · Score: 2

      The sad thing is that the default Windows security model is significantly better than the default Unix security model but isn't used in an effective way to secure the system.

  2. Why are you still surprised by this? by moderators_are_w*nke · · Score: 5, Insightful

    You buy a device to store your personal data on from a company that collects personal data for a living, and then run an app on it from another company that profits from collecting you data and then are confused when they collect your personal data?

    Reposting as me

    --
    "XML is like violence. If it doesn't solve your problem, use more." - Anonymous Coward
    1. Re:Why are you still surprised by this? by admdrew · · Score: 2

      Who said anyone was confused? Data collection and app permissions don't need to be "all or nothing."

      --
      LegendMUD
  3. I doubt most people will flinch but... by Anonymous Coward · · Score: 5, Interesting

    I was actually curious to try Home, but when I saw the new permissions requested by the Facebook base app, I just said 'enough is enough' and deleted it.

    I think I'm definitely in the minority, but stuff like this increases that bifurcation of their userbase. I keep a toe in just because I know people that use Facebook as a primary communications tool, but I already log in only in a separate browser from everything else I do just to quarantine it.

    1. Re:I doubt most people will flinch but... by MysteriousPreacher · · Score: 2

      I wasn't curious to try Home, but I saw the new permissions requested in order for Home to work, and recalled the last time I ditched the Facebook app, which was when they silently installed Camera and Messaging apps alongside it without my consent. They came to their senses on that, and bought themselves a second chance, but I'm afraid there won't be a third chance, because their app is no longer offering the value of contact integration that it was in those days, and by uninstalling it, I've realised how much of my battery drain was caused by that app.

      Facebook users generally don't mind the battery drain or privacy impact of the Facebook app unless it causes their Bonzi Buddies to deliver adverts more slowly than is usual.

      --
      -- Using the preview button since 2005
  4. Bye bye Facebook by rueger · · Score: 5, Informative

    I looked over the new permissions being demanded by Facebook for the latest Android app update, and stopped dead at the point when they told me that the app could now "call phone numbers without your intervention." Say WHAT??

    I expect Google to have pretty intimate integration into an Android phone. I signed on knowing that. From everything I read Facebook is now looking to pretty much take control of the phone OS, not by developing their own, but by hijacking large swaths of control from Android or the user.

    Ultimately though one thing is making me stay away from this update, Facebook Home, and probably Facebook entirely on my phone: the Facebook app has been hands down the worst thing I've installed, and gets more useless with a very upgrade.

    --
    Three Squirrels
  5. Use Tinfoil Instead by Anonymous Coward · · Score: 5, Informative

    USE TINFOIL FOR FACEBOOK!!!

    Seriously guys. It works pretty well, and it isn't as annoying as the Facebook app.

    https://play.google.com/store/apps/details?id=com.danvelazco.fbwrapper&hl=en

  6. Facebook on android == teh suck by stair69 · · Score: 2

    Facebook's android app drains battery, is full of bugs and has a wierd non-standard interface. I didn't think they could make it any worse, but here we go - well done Facebook, you really raised the bar on suck there.

  7. When you assume... by 93+Escort+Wagon · · Score: 5, Insightful

    If an app states it needs permission to do X and Y, it would be rather naive to not assume it will do X and Y.

    I'm a little surprised Android hasn't copied iOS's behavior, where it asks the user whether or not to grant permissions to a specific thing (e.g Contacts or Location) at the time the app tries to do so - it just makes sense, and it's not like both OSes haven't copied from each other before. But I suspect Google doesn't really want to remind you of what information each of its apps is accessing, or when.

    --
    #DeleteChrome
    1. Re:When you assume... by 93+Escort+Wagon · · Score: 2

      I don't want to give the impression I'm trying to against argue your comment, because it's great those are available; but since they require a rooted phone, they may not be practical options for non-technical people.

      --
      #DeleteChrome
  8. Google is in on it by plastick · · Score: 3, Informative

    Want proof that Google, Verizon, etc. are in on the privacy nightmares of Android?

    They keep releasing new versions that prevent people (who own their phones) from rooting them to

    1) block ads ( from their Google Play store)

    2) prevent you from using apps to control permissions (like LBE Privacy Guard that now reboots your phone in an endless loop)

    With all the time and effort put into their OS, why have they not allowed users to control permissions on apps in any way, shape, or form? Why? Because they are marketing companies that also sell your data to other companies (including all the top mobile carriers). They make deals with these companies and propagate the problem - turning smart phones into a privacy nightmare. And it's not like the iPhone is any better.

    Until people take a stand (and stop being a bunch of apathetic consumers), it's not going to change. People allow themselves to be taken advantage of. It's sad. Most don't even care. They'll happily give Facebook and Google all their information because "they don't have anything to hide" - which we all know is the lamest excuse for apathy possible and is easily dismissed as moronic. And it just keeps getting worse - and now our governments collect this data too.

    And what is the effect? People are not getting jobs or losing their jobs due to their Facebook posts. Insurance companies are increasing rates on people who type certain terms into their search engines. And that's just barely getting started!

    Wake up, folks!

  9. This is why it's important to get root access... by excursive · · Score: 2

    If you have root you can turn off those permissions. If the app doesn't run without snooping permissions (as Groupon and Google Offers do not), well, it's their choice not to get my business.

  10. Pause while in call by tepples · · Score: 5, Informative

    For example, lots of apps require "Read phone state and identity" which gives the ability to learn not only the phone number, but also whether you are in a call and the number of the other party.

    There's a very good reason for media players and games to require this. Knowing whether the user is in a call allows the program to pause itself until the call completes.

    1. Re:Pause while in call by chihowa · · Score: 3, Insightful

      Because the permissions are too coarse grained. Weren't you paying attention? That's what this whole thread has been about!

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    2. Re:Pause while in call by Simon+Brooke · · Score: 2

      Because the permissions are too coarse grained. Weren't you paying attention? That's what this whole thread has been about!

      This.

      I don't, in general, mind apps knowing whether or not I'm in a call. I mind very much their knowing who I'm calling. That's exceedingly intrusive. It's the single thing which makes me most unhappy about Android at present - more and more apps are asking for this permission, and as it's an all or nothing thing, you either grant the permission or don't install the app. Generally, I don't install the app - because I don't want commercial companies building up a map of who calls who when. I particularly don't want them knowing who I call, or who calls me. But the problem is, even if you don't install the app, the chances are the person you're talking to has, so the owners of the app get to log your call anyway.

      --
      I'm old enough to remember when discussions on Slashdot were well informed.
  11. Re:LOL, suckers... by UltraZelda64 · · Score: 4, Interesting

    I don't laugh at all those future phones sold with this garbage, and with it installed and set up in such a way that you are forbidden from uninstalling it...

    I already have problems caused by "stock" programs on my phone that cannot be uninstalled without root access, and I cannot trust going through the process of attempting to gaining root, something that could possibly leave me without a phone. Once this garbage makes its way "stock" onto commercial Android phones in the same way, there will be an even greater need to try to gain root access. I am not looking forward to the day when I have to start doing extra research just to find out if a particular cell phone comes with this Facebook garbage, only to find that they all fucking do and the only possibly way out of it is to risk rooting it.

    It's already a bitch doing research for a new phone, given all the variations in (incompatible) Android versions. It's a royal pain in the ass trying to find a phone that doesn't suck in general, and doesn't force the use of a cell service provider that tries its best to fuck you up the ass. The last we need is to add fucking Facebook to the mix. Fuck them.

  12. Acceptance ritual under Belgian law by tepples · · Score: 2

    Luckily I live in Belgium

    For people who want what you have, how's their immigration policy?

    where clicking 'I agree' is not a form of contract

    If accepting a contract offer under Belgian law cannot be done by activating a control in a graphical user interface, then how can anybody sign up for a service or buy a product over the Internet?

    1. Re:Acceptance ritual under Belgian law by mrmeval · · Score: 3, Informative

      It should be done by mail/phone with a credit card with credentials mailed to you. It worked very well to keep trolls and spam off of Fidonet and Rime forums and since netmail messages cost a $0.25 so I'd love to get all the spam they could send. ;) BTW netmail was a feature of both those networks and I could send electronic mail all over the world. Both networks were like the internet but far more decentralized.

      --
      I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
  13. Permission rationales by tepples · · Score: 2
    They don't. Though Android unfortunately has no way to deny the "your phone number and that of everyone you ever call" permission without also denying "knowing when you're in a call so that it can pause", that's what permission rationales in the application's description are for.

    Phone state: Used for pausing when you're on a call.
    Internet: Used to synchronize recently played videos between devices. We don't share this unless you tell us to.

    "But I don't trust that people won't lie in these rationales." That's what Dalvik disassembly and free software licensing are for, so that people who get paid to review applications can verify that the application's source code actually does what the rationale says and doesn't peek at actual phone calls.

  14. Re:It's not just facebook by Takatata · · Score: 2

    And the list of worst offenders also reads like a roll-call of must haves: Pandora. Angry Birds. Netflix. Shazam. Et tu, Yelp?

    Interesting. I don't have a single one of this 'must haves' installed.

  15. Re:Website? by int19 · · Score: 2

    I installed the FB app when I first received my Galaxy Nexus, and the battery life dropped from 3 days to 1, so I axed it, and added a desktop shortcut to their mobile site, which seems to work well enough for me.

    ^ This

    I've been using the mobile website instead of the Android app for about a year. It's not quite as good as the app, but is more than adequate for my needs and has no battery impact. The only notifications I care about get emailed to me.

  16. Uninstalled by OptimalCynic · · Score: 2

    Uninstalled.

  17. Re:Balance it by alostpacket · · Score: 2

    It's not a contest -- the fact that iOS handles it well is a good thing. But it doesnt change the fact that what tepples said was also correct (though seems deprecated AFAICT). This was unfortunately the problem with that permission. It had very legitimate uses, and very nefarious ones too.

    Nevertheless, you brought up the comparison to iOS. So kindly spare us the "only on slashdot" stuff when it was you who seemed to be spoiling for a brand fight.

    --
    PocketPermissions Android Permission Guide
  18. let get this straight... by Mysticalfruit · · Score: 2

    I'm shocked a social networking company that makes its money by selling as much data as it can possibly mine out of its userbase has created an uber app that runs on your mobile device and gives them unfettered access to all your information.

    Really? People are shocked by this? I would have been much more shocked if a report came out showing how Facebook Home actually protected your privacy.

    Honestly I never had any interest in running this on any mobile device I own. Firstly I care about my privacy and secondly I could give two shits what the highest score my aunt has achieved in Candy Crush today. I always wondered what would happen if Farmville and Bejeweled had a baby... it's truly a Lovecraftian horror or tentacles, eyes and mouths..

    --
    Yes Francis, the world has gone crazy.
  19. Re:LOL, suckers... by Chrisq · · Score: 3, Funny

    Android is total spyware anyway - the electronic equivalent of standing on a street corner bent over with your shorts down to your ankles. Enjoy.

    I have to say I didn't enjoy my Android phone half as much as your other suggestion.