A new version of Facebook for Android drew some media attention because of the SMS reading permissions it requires, raising users’ concerns regarding privacy. Developers do have a reasonable explanation, but is it indisputable?
Any user of Android smartphone knows that Google Play displays a list of “application permissions” before the app is actually downloaded to the user’s device. Each permission, unsurprisingly, grants an application access to some smartphone resource. If the user doesn’t want this app to use GPS or read his contacts, he can abandon app installation. There are no official tools to revoke specific permissions from an installed app. Most users don’t bother with reading those boring permission lists (admittedly almost as boring as license agreements) and just press the “Install” button. Those who actually read them have the chance to discover that SMS reading is just the cherry on top of the cake. The Facebook app actually wants to access every aspect and resource of your smartphone.
Google alerts about these permissions, requested by Facebook app:
Record sound, Take photos and videos,
Make phone calls, Read SMS/MMS,
Precise GPS location, Add/modify calendar events,
Read contacts, Read call logs,
Control user accounts, Modify SD card contents,
Use system tools, Full network access,
Read phone status and identity
Facebook explains that SMS permissions are used with care when it comes to user security. If a user enables two-factor authentication for his account, he must type both the password and the one-time security code sent via SMS during the login. To make things more convenient, a new Facebook app can intercept this SMS code so the user won’t need to look at his inbox, memorize a one-time code, switch back to Facebook and key in the code manually. This kind of behavior is not unique. The popular Whatsapp messenger acts exactly the same way when binding your copy of the app to your phone number.
However, there is a difference between Facebook and Whatsapp – the latter has the official policy of “no ads, no hunt for private data,” while the former earns money through tailored advertisement and private data analysis. It’s understandable that users aren’t very enthusiastic about feeding Facebook even more data, especially when taking into account the somewhat vague language Facebook uses when explaining app permissions on their help page. Developers explain why they use this or that permission, but state that this list of permissions is not complete and that each permission may be used in more ways that they list.
Of course, this is not particularly reassuring. David Emm of Kaspersky Lab explains these concerns very clearly: “Surely the app doesn’t need to do this automatically. Facebook could simply prompt me to type in the code manually. Or, at the very least, provide this option. This may be a perfectly innocent feature. But in the light of growing concerns about online privacy, such an option would help to allay people’s fears”.