Details of the permissions and privileges that you need to hand over to Facebook in order to use their mobile app, outline with Android.
The Facebook App for Android has changed quite a lot since I originally wrote this article so I figured I should update to reflect the changes in permissions that the app now requests. There are some improvements and looking back I think I was a little harsh in my judgement with a knee-jerk reaction but the problems remain that the permissions seem too lenient, there is no justification of why the Facebook app needs these permissions, and the only choice we have is to accept them all or not at all.
This article outlines the Facebook App for Android version 1.8.0 as released on 1st December 2011. The original article outlined version 1.6.0 released June 2011 and can be found in the grey shade at the bottom. Clicking the thumbnails will open a full list of all of the permissions that the Facebook App will request from your Android phone.
It is important to distinguish between what Facebook intend to do with these permissions and what they can do with these permissions. They may promise to behave and not do anything sneaky but they are not perfect and they make mistakes. Furthermore if Facebook are ever compromised (if you think it couldn’t happen the recent news is awash with enormous companies1 falling foul2 of hackers3) then whoever attacks them would inherent all of the same controls over Android as you have permitted for the Facebook App.
It is likely that the App for iPhone, Blackberry et al will request the same permissions but I’ve not checked. If you happen to know about any other OS I’d be happy to hear from you in the comments down below…
Your Messages Edit SMS or MMS, read SMS or MMS, receive SMS – This relates to an intention from Facebook to become a single unified messaging service where all of your IMs, emails and messages are handled through one portal, personally I have separate accounts and communication channels for very good reasons and I should not have to hand over control of those separations to a company that has proven repeatedly to put its users privacy low on their list of priorites
- Modify/delete SD card contents – This is fairly typical and allows the App to store Facebook content to Android to improve performance and to make the content available when you’re not connected
- Prevent phone from sleeping – This annoys me, it’s no secret that battery performance on modern smart phones is pretty poor, this goes for iPhone as well as Android, it should be up to me to choose whether to trade off battery life for convenience not Facebook
- Read sync settings – This is fairly harmless by itself and without Write access it would be useless to Facebook
- Write sync settings – This annoys me, if I disable automatic synchronising to maximise my battery life then it should stay disabled until I decide to enable it
- Fine (GPS) location – This is fairly typical and is used to provide features like check-in and places, this raises concerns over privacy and tracking but that’s a very different discussion
Services that cost you money Send SMS messages – This relates to the earlier Message permissions although the risk of a compromise racking up huge bills with premium rate text messages is worrying
- Act as an account authenticator, Manage the accounts list, Discover known accounts – While account permissions are necessary for the App to authenticate against Facebook on your behalf I think it is a failing from Android that these permissions are not more granular, from these titles it seems that the App will have permission over ALL accounts that are added to Android
Your personal information
- Read contact data, Write contact data – While this is fairly typical of Android Apps I don’t think that anyone other than myself should be able to change my personal information on Android, it is however fairly harmless
- Read phone state and identity – This is fairly typical and it allows Facebook to identify you or more specifically to identify your Android handset, for some however this raises concerns over tracking and privacy but if that’s the case you probably shouldn’t be on Facebook to begin with
- Full internet access – This is fairly typical and the App wouldn’t be able to communicate with Facebook without it
- Receive data from Internet – This is intended to provide push-notifications so that new messages are instantly received but it could be used to push anything down to your Android, including malware or spyware that could take advantage of all of these permissions and data points, having an automated sync schedule to poll for new messages every few minutes should be sufficient and then this permission would not be needed
- View network status – I’m not sure on the purpose of this
- Control vibrator – This is fairly typical and is used to provide notification of messages received, one comment however is that as the owner of the phone I should be able to disable this