Android needs to fix the way the permission system works. As it stands now, all permissions are asked upfront at installation time where the user has no data available to make an informed decision.
Also, the fact that apps only auto-update when the permissions required don't change produces all the incentive for app developers to just ask for everything. After all, most conscious users will find something they object to at install time anyways and thus might not install and most people don't read the dialog anyways, so not much to lose.
But even when android changes to ask for permissions as they are required (which could be done in a backwards compatible way by not throwing exceptions but just pretending that whatever API call you just made has succeeded, but then doing mothing or returning meaningless/no data), this still would not help with a malicious app asking nicely with a legitimate reason ("let me access your SMS to read the login token") and then using that permission for illegitimate uses ("let me upload all your SMS to my server").
Even with all these permissions, it still boils down to trust and where on the desktop world, this trust was rarely abused, in the mobile world between all the built-in adware and social integrations, that trust is badly hurt.
also, give the user the ability to refuse some permissions. There is no way i'll give any app access to my SMS. As the article stated not even my closest friend or my girlfriend have access to my SMS.
I agree with you, SMS is a much private matter, but you're sadly mistaken. SMS are not encrypted nor secure communication.
Your carrier can read them, and so do the relevant part of the corporate surveillance apparatus along with all you do with your mobile phone / smartphone. And so do government agencies.
SMS are sort of the same issue as clear text email, probably a bit worse.
Facebook can't access them though. This is a strange concept to some people, but an insecure method of communication can still be secure against some parties. One of the best examples is RC4 - the NSA and GCHQ are reading everything you send/receive encrypted with RC4, but likely nobody else, at least for now (although that could change at any time; another reason to eliminate it everywhere).
Moreover, legal protections exist even where technological protections do not; just because the police have the ability to intercept text messages doesn't mean they have the right to do so without a warrant (and somewhat similarly for carriers). Once you voluntarily give the police — or carriers — permission to read your text messages, all bets are off.
I really know nothing about how android works so excuse me if this is a stupid/impossible idea, but I wonder if someone could make an app-vetting app.
The issue seems to be that you have to give these applications their permissions so they can function, but you really have no way of knowing how those permissions are being used. So you end up just allowing everything and being at the mercy of developers or you act completely suspicious, don't install any app asking for strange permissions and may even fall into these wild accusations that giving Facebook permission to view your SMS messages is like signing over your soul to the devil.
So again, I'm really out of my game here, but I wonder if you could create an app-vetting app for android that monitors and logs internal requests for data (assuming android uses some sort of internal api to handle this) so you could see what apps are making what requests and how much data they're grabbing. And then monitor outbound network traffic to see what put and post requests are coming from the app, how much data is being transferred and where they're being delivered.
Then you would know how much of your data is actually being used by an app and how much of that data is being sent to Facebook. Granted, I'm sure apps like Facebook's are constantly sending themselves data from your phone but the things to look for are the data being sent when the app isn't active or when the request varies an objectively significant amount from the baseline requests.
If this can be figured out, you could then create a database of the results for every app logged and have a security ratings guide for the android marketplace.
If this is impossible, impractical or just plain stupid, I apologize, but it seems like something that SHOULD be possible, so I just figured I'd throw it out there.
Ask Apple. They seem to have solved this problem quite a while ago.
The iOS implementation allows rejection of individual permissions, doesnt prevent install, and allows the developer the freedom to choose the best possible time to ask. See https://medium.com/p/96fa4eb54f2c
Well, you're right, but Apple's model is fundamentally different. I don't think Android will switch to such a model in the (near) future. That would mean a lot of things have to be changed, and hundreds of thousands of apps would break. So we can safely assume Android will stay with its current system. Thus there is only one possibility left: improve the current system. Rejection of individual permissions would definitely the most powerful improvement, while still being easy to implement.
If permissions could be granted not ahead of time, but rather when they're needed, you could simply update the application and just ask for permission when the new functioanlity was actually used.
That's Apple's system, right? Android does have a different one. Fortunately or unfortunately, I'm not really sure. Android's system definitely has advantages as well. But it goes without saying that there are serious issues that must be fixed.
If Android had a better permissions model, you could allow autoupdates with new permissions disabled unless the user then chooses to enable them. That said, anyone who is serious about security has autoupdates off anyway.
> What honest and useful reason can Facebook have to get access to my texts? Seemingly they’re running with the “It will help us target better” message.
A Facebook engineer explained this permission on Reddit when the story first broke. They are using SMS access to speed up two-factor authentication. (They send an SMS to your phone, and then read it automatically.)
ALOT of apps are starting to do this. I believe Snapchat initially was the company that began doing it. When a site like Facebook uses your number to identify you, this feature actually makes sense.
I wonder if more fine-grained permissions would make more sense for this sort of feature. Perhaps it would be better if Android had support for "This app may read text messages from 1-800-XXX-XXXX" or something similar instead.
With it, I have extremely fine-grained access control to a wide variety of "system calls", including access to contacts, text messages and to the device phone number.
In this case, I can permit access temporarily during the 2FA, and then return garbage values the rest of the time. Easy. (Though obviously if they harvest my text messages for other purposes during 2FA, that is a problem - but one can that can be technically solved within XPrivacy imo.)
In other cases, such as running Skype, I deny access to everything always (phone number, my location, contacts, Google accounts are the things Skype makes system calls for) and Skype continue to works fine, so I think this is a viable strategy.
since first being introduced to XPrivacy, I absolutely can not use an android phone without it. It really opened my eyes to how invasive some apps are when running in the background or just inappropriately accessing info in general (especially location information!)
It sucks that you have to have a rooted device to use this. While I think Android in general is fantastic, I'm torn but the fact that I am forced to choose between having control of my privacy or being able to use online banking, get regular updates etc.
I've seen Telegram do this: they send a confirmation code when you sign up and the app reads the text right when it comes in and handles the verification code for you. It's quite convenient. However, if an app can get access to ALL texts just for this feature, I think these texts need to be categorized. It doesn't need access to all my texts, just the ones that THEY sent. Otherwise I'd prefer to enter verification codes (which usually seem to be only 4 digits anyway) myself. But we still can't really decide what an app may and may not access: it's all or nothing. I hope this changes.
I do know it's possible to install an application to protect your system afterwards (like LBE Privacy Guard) but that's only a workaround for what I consider to be a problem.
Agreed on the specific permission to read a text from a certain source. This "access to all SMS" sounds crazy - next step is let an app peruse my email inbox I guess? Even though I'm sure that isn't too far fetched with the latest news on email privacy.
"we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts"
Wait, how does that work?
Doesn't that kind of break 2 form authentication?
If no input is required by the user then it's pointless. If I hack your account and Facebook sends your phone an SMS to authenticate but the Facebook App automatically "intercepts" and reads the SMS message and says "Yup! It's good!" What's the point in sending the SMS message? Think about that for a moment. Why not just send a request to my smart toaster and have my smart toaster just reply "Yup, I got your message!"
I believe this is something where Android can provide a better experience by not giving a blanket permission to read all SMS. How about only allow SMS with a pre-defined header to be read by an app.
I mean, the permissions do have reasonable explanations - using your contact list to 'find friends'- for instance, or writing to your call log because they're integrating VoIP calling (I assume). The wording is just a generic Android permission explanation and comes with any app which requests that permission. If you really can't cope with it, there are apps like Tinfoil which allow you to still use facebook without that added functionality and permission requirement.
A good improvement for Android would be the ability to only request permission when it's required for some key permissions (the way iOS does with contacts (I think)). Enable SMS integration in messages? Android pops up a thing saying 'Facebook wants to be able to read your SMS and MMS messages. Cool?'. UAC for Android.
You can block such permissions in CyanogenMod based roms via their 'Privacy Guard' feature. And I am sure there are other solutions but most likely would require a rooted device.
I think such functionality as you described should be included into Android as standard allowing the user to grant permissions to confidential information.
This article is an excellent case study of what happens when engineers communicate through lawyers and a coarse-grained permissions system.
The engineer at Facebook wants to be able to send the phone a message so as to authenticate the validity of a phone number. She writes an Android app to do this. To get the text messages, she has to request the READ_SMS permission, so she does.
Meanwhile, the lawyers at Facebook are paid to protect the company from unnecessary liability. They decide to write a ToS that says they can do anything; that way, if they do something you don't like, you can't sue them, thus protecting the company from liability.
Later, some other engineer comes along and puts these two pieces of information together. READ_SMS!? They can do anything they want!? They must be up to something shady!
Turns out: nope! Just a miscommunication.
The real innovation in our field that I hope to see in the next few years is the right balance among the following concerns:
* Ease of use, even among non-technical users.
* Security from malicious applications / extensions / apps / etc.
* The service provider's desire to not be sued.
* The user's desire to not have his privacy violated.
If you give everything fine-grained permissions, you'll have to be a software engineer to understand how to use the application. If you don't have any permissions, every Flappy Bird clone will subscribe you to paid SMS services. If the service provider claims to be liable for privacy breaches that they didn't intend, then they'll have to prove, in court, at great cost, that they're not to blame, every time any of their billion users complains. If the service provider claims to be able to do anything, the user will assume that they're reading all of his email to pick stocks and get some good info for stealing his girlfriend.
So it's clear that the extremes don't work. What we need to find is what does work. This write-up shows how one non-extreme balance doesn't work. Let's find another one and try again!
> If you give everything fine-grained permissions, you'll have to be a software engineer to understand how to use the application
No, that fine grained permission can be intelligent & automated to protect the non-tech user. That's where Android needs to innovate. Going forward with giving blanket permissions to anything being the only way to install an app is a bad idea, even if it's a reputed company like Facebook. I don't want 10 different apps accessing my SMS just to enable easy 2FA. I also don't trust many reputed companies into doing what's best for my privacy & security.
He doesn't own my ass, I don't have a Facebook/Instagram/whatsapp/(whatever Facebook owns or will own) account and never will. I'll never need to, just as people never needed to 10 years ago, Nor will I ever have any oculus rift thingy on my head. So there, he doesn't own my ass!
And when Facebook starts buying people's asses for 10 billion bucks, I still won't sell mine :)
Edit: and if one day Facebook owns the internet, then I'll buy a farm, grow veggies and get off the "grid". I'll become a "nature growth hacker" ( remember you saw it here first!).
Oh well, then that means I have this alter ego having a life of his own. Imagine this, after 40 years of having a Facebook account, my shadow account gets his numbers and shadow personality "woken up" into an AI system ( for the Brits, there's a kick ass episode of "black mirror" that illustrates this), I wonder how different my shadow me would be :)
Imagine after the human race ends, some aliens resuscitate "us" by using the principle above from deep buried Facebook archives... How much more bullshit would this artificial human race be made of compared to what there is already :)
From the methods facebook used, I assumed those existed long before they've surfaced to the public so I blocked all thing facebook from my network early on, like buttons and facebook login never had the opportunity to track me as they're filtered out by my firewall.
I started following this trend of blocking unwanted stuff with ads coming to the web (at the time it meant saving bandwidth, money and time) and got serious about it when google stopped being a search engine to an ad agency. I went in full on when google started its surveillance of what everybody was doing on the web outside google (buying urchin and turning it into google analytics).
See this whole thing started with ads which quickly required tools to monitor people interactions with them and it's all been downhill from there.
It's easy to get sucked in for someone people. I moved to the other side of the world recently. These FB owned services allow communication and sharing between my friend, family and wife's family very easy. It makes us all feel less distant.
Indeed. Facebook has a repeated pattern of going too far infringing people's privacy and then apologizing [1], so why would anybody trust them not to abuse the permissions once they've been granted?
I just got a new Android phone and it was an easy decision not to install the Facebook app.
For me, Facebook doesn't "suck". It helps me stay in touch with friends on other continents in a more user-friendly and convenient way than email/phone calls/letters. It makes it easier to organize events/get togethers with friends nearby because it allows n-to-n communication unlike SMS/phone calls and virtually everyone has it. I pay a price with my privacy but so far I'm fine with the tradeoff.
I pay a price with my privacy but so far I'm fine with the tradeoff
Some people aren't alright with the tradeoff. I manage to stay in touch with family and friends without using it, but they happen to use it extensively. I suppose the "it sucks" opinion is just as polarising as the "I have no privacy but it's fine". Looks like the argument will never be settled!
I can imagine attempting to send letters to friends in other continents would be slow, but a nice touch if you received a letter.
Absolutely agree with you. It is most certainly possible to not use Facebook (and I commend you on doing so successfully). But stating "Facebook sucks" as fact, as opposed to opinion, is just wrong in my opinion (and it looks like you would agree).
And yes, sending letters is fun. Guess I'm just too lazy/used to the convenience of the internet.
Facebook sucks, it's a fact. Privacy is a building block for freedom and being robbed of the ability of being free sucks.
Say you have a friend anywhere on earth but he/she doesn't have a facebook account, how exactly is facebook helping you staying in touch with this friend ?
Everything you wrongly attribute to facebook is actually made possible by this thing called Internet and was being done long before facebook. The only thing facebook achieved (through unethical and dubious means) is to capture and keep captive a large proportion of internet users.
Which is sad as facebook is pushing hard towards the destruction of the internet and is having some success in it (contrary to microsoft who tried the same during the 90's)
I'm not being robbed if I give it away of my free will. I'd call it "paying" with privacy. Facebook sucking isn't fact, it's your opinion.
Yes, the things I mention are possible thanks to The Internet, but The Internet alone doesn't allow me to do it, we need clients (and possibly servers) to use The Internet to communicate etc. Facebook offers these things. It's not the only offer, but please refer me to a usable alternative that my friends use/would use and I'll gladly consider using it.
There is absolutely no need for you to own an account.
I find it humorous the way you put that. I'm long past believing any sort of fiction that I actually own the account I created at Facebook (which I never use) and Google (which I use extensively).
This is a great reason why the iOS permissions model is miles better. It's not perfect, but it's a far more logical and friendly approach than the all-or-nothing approach that Android uses.
I hate the Android model. On my Android devices, I've declined many installs that I have happily made on my iOS devices because of overzealous permission requests made by the Android version. Being able to grant those permissions as needed and revoke them without removing the app entirely is awesome and why Google has avoided implementing it in Android to date is beyond me.
Say what ? holy war between of iOS vs Android ? irrelevant!
Smartphones are a huge privacy liability whether apple, google or other. facebook is another mega huge privacy liability.
Why google avoided implementing sane privacy control in android is obviously because google is even more of a über huge liability privacy.
Google basically has a head start of a decade and a reach not even facebook or apple can dream of.
Apple makes money by selling overpriced hardware, google makes money by collecting data about you and selling ads, facebook is a website where people give away their privacy who's happy to exist on devices built by apple and google and has no proven business model (robbing advertisers of money only works for so long says history).
If I recall correctly, the SMS permission is so that the app can read the code that facebook sends to your phone to confirm that you own the number that you're trying to link to your facebook account. Another app that I know of that does this is TextSecure, to register your number with their servers, but then again that's a text messaging app, so I'd expect it to be reading my text messages.
I feel it is worth mentioning that if any app scrapes SMS messages they could also scrape messages sent that don't just contain personal information, but which also contain personal financial information (i.e. bank statements or transaction notifications). Many jurisdictions have harsh punishments for accessing / storing financial information (with requirements on where the information is stored, for how long, regulatory approvals, etc) far in excess of punishments for violating 'normal' personal information privacy laws.
I'm sure Facebook are aware of this. All app developers should be too.
I disagree. In my opinion, all of these features should be optional.
> Read your text messages (SMS or MMS) - If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message.
I don't mind doing this manually.
> Download files without notification - This allows us to improve the app experience by pre-loading News Feed content.
Happy to wait until I want to load the content.
> Read/write your contacts - These permissions allow you to import your phone’s contacts to Facebook and sync your Facebook contacts to your phone.
Not interested in having my niece's dog's vet's window cleaner in my phone's contacts.
> Add or modify calendar events and send email to guests without owners’ knowledge - This allows you to see your Facebook events in your phone’s calendar.
Might be interested in having this if they got it right, at the moment I get every event I'm invited to added to my calendar, even those I'm not interested in.
> Read calendar events plus confidential information - This allows the app to show your calendar availability (based on your phone’s calendar) when you’re viewing an event on Facebook.
Again, something I'm not really all that interested in.
I don't understand why I need any of these features in order to perform the most common use case - browsing my timeline and posting the occasional update. I'm not advocating removing these features entirely because there are plenty of people who make use of them, but they should be optional - either made optional through changes to Android's permissions system or by FB themselves.
>Facebook can & will use all this data against your wishes
Facebook is limited to what its privacy policy and TOU allow. If Facebook goes beyond that, the FTC, state attorneys general, and a bevy of bottom-feeding class action lawyers will sue (and win).
Anyone who doesn't understand this -- this is directed at the author of the blog post that started this thread, not the parent post -- has no business writing about privacy.
Not quite. The "genuine lawsuits you mention are proof only that (a) bottom-feeding lawyers file meritless lawsuits in hopes of a fat $$$ settlement, or (b) that sometimes even well-intentioned companies make mistakes and do things beyond what their privacy policy and TOU permit.
Would an engineer for a company that makes billions invading people's privacy really lie? </s>
It's also possible it's used for other things said engineer doesn't know about via scope creep or as another channel of PRISM et al, in which case those people will be thanking the engineer who added the feature.
Or back them up normally with Titanium Backup. If you have Google Contacts Sync installed, you'll need to freeze or uninstall it first to make local contacts though.
Yeah, I don't understand why more people doesn't use it. As the author points out; the permissions for the native app is scary, and has been for a long while. Use the web interface and all problems are solved!
I am still using the web interface, but I will say that it is mildly annoying when I wish to post media. Native apps get an entry in the "Share" quick-action, web pages don't.
Also, the permissions they ask for seem like FB is angling to figure out a way to play a bigger role in your life and not just restricted to advertising such as sending out a text or placing calls to most frequently dialed numbers when they figure out that you've been in an accident.
But is seems more likely that the US govt. to do any of the following if they make new laws that are an iterated version of the FISA, etc. laws that give them unrestricted access without any need for disclosure:
> Someone is lost, kidnapped, in an accident, law enforcement can figure out ways to subpoena this information.
> Send fake texts or calls on your behalf and then use that as grounds to detain / question / imprison you.
> Data mine text information to figure out if a revolution is happening in a dissident country and perpetuate this by sending texts to a wider network (similar to starting a local twitter clone in Cuba). If this is a friendly country, you can warn your allies and have these people held as political prisoners in countries such as Saudi Arabia, etc.
Permissions on iOS are usually asked as the app needs them, whereas on Android, all permissions needed by the app have to be granted before the app is installed/updated.
This is exactly why I would never install facebook's app (or any other such bloatware crap that does nothing the website can't). Access SMS, camera and location? Fuck no. Android also deserves part of the blame though for not having a way to allow/deny permissions and prevent apps from running as background service when they don't need to.
I often go to install an app but then abort when it asks for what I consider to be overreaching permissions for what the app is. I'm sure the majority of the apps need the permissions for a valid reason that isn't nefarious, however, the end result should be the user's decision. This all or nothing approach is maddening and ridiculous. Simply allow the end user to selectively accept and deny permissions and require app developers to handle the cases when the permission they are asking for are denied. I would feel much better and buy/install a lot more apps.
One could say that required permissions there are just for reading the SMS confirmation codes and easing that friction, in which situation they're actually enabler of better security of your account.
Another one could say that it ultimately boils down to your trust in Facebook. Do you trust enough Facebook to give them a full access to your SMS? I don't.
It's important to note that this is not just a Facebook problem - though Facebook may have the largest install base of affected applications.
Many applications on Google Play ask for excessive rights - I always presumed this was being pushed by mobile advertising services.
I think it's an important issue for Android, as most users are unaware of or careless with these things, and it's just one high profile (perceived) abuse example away from seriously damaging Android's reputation as a platform.
Anybody using Tinfoil for Facebook, s wrapper over the mobile FB website? It allows greater privacy and you never have to worry about your SMS or pictures.
> But check out the exact wording of the SMS/MMS Permission, and that of the Contacts one.
It's impossible to word it in any different way, no matter what you want to do with messages - even if your code is written to read message from one specific number and not even do anything with it the permission text will stay the same. This is text that was set by google.
> What honest and useful reason can Facebook have to get access to my texts?
If the author googled it he would would have noticed official facebook page that explains the permission used. It's used only to confirm your phone number - if you want to.
> Yet as I say time and time again, this has to be opt-in
Android permissions don't allow opt-in, or opt-out for that matter.
> All it wants are numbers, pure and simple, and the data that comes with these numbers to sell to the highest bidder.
Use something equivalent of privacy settings in CM, I think they're using the AppsOps (sp?) and you'll see that non of the data was even accessed let alone sold to highest bidder.
I'd like to see optional permissions. I'd like to be able to deny facebook the ability to read my SMS. I would happily do 2-step authentication manually if it meant that they couldn't read my texts. I don't have a lot of experience developing with android but this seems like smaller change than other suggestions, like granular permissions.
I have App Ops on my phone and Facebook app installed for a while. It says Facebook app read contacts recently. But it 'never used' other sensitive permissions, like read messages, call log etc. I agree that Facebook app probably should inform us why it actually needs these permissions.
Well, you're probably irritating people who like Facebook by implying that Facebook's actions are so bad that not having a Facebook account is a good idea. And you're probably irritating people who dislike Facebook by implying that their actions are justified because it's possible to opt out by not having a Facebook account.
In all seriousness, here at HN we're generally looking for posts that contribute to the discussion. Your post simply bashes Facebook and/or Facebook users without saying anything that isn't trite and hateful.
Also, the fact that apps only auto-update when the permissions required don't change produces all the incentive for app developers to just ask for everything. After all, most conscious users will find something they object to at install time anyways and thus might not install and most people don't read the dialog anyways, so not much to lose.
But even when android changes to ask for permissions as they are required (which could be done in a backwards compatible way by not throwing exceptions but just pretending that whatever API call you just made has succeeded, but then doing mothing or returning meaningless/no data), this still would not help with a malicious app asking nicely with a legitimate reason ("let me access your SMS to read the login token") and then using that permission for illegitimate uses ("let me upload all your SMS to my server").
Even with all these permissions, it still boils down to trust and where on the desktop world, this trust was rarely abused, in the mobile world between all the built-in adware and social integrations, that trust is badly hurt.