Facebook Android App Permissions

Details of the permissions and privileges that you need to hand over to Facebook in order to use their mobile app, outline with Android.

Facebook Android App PermissionsThe Facebook App for Android has changed quite a lot since I originally wrote this article so I figured I should update to reflect the changes in permissions that the app now requests. There are some improvements and looking back I think I was a little harsh in my judgement with a knee-jerk reaction but the problems remain that the permissions seem too lenient, there is no justification of why the Facebook app needs these permissions, and the only choice we have is to accept them all or not at all.

 

Updated again to reflect new permissions in Facebook App for Android version 1.8.4 released 12 March 2012.  As of this release following recent public complaints and news articles the Facebook App for Android no longer has permission over your SMS text messages.  All other permissions appear to be the same as before

Facebook App for Android, v1.8.0This article outlines the Facebook App for Android version 1.8.0 as released on 1st December 2011. The original article outlined version 1.6.0 released June 2011 and can be found in the grey shade at the bottom.  Clicking the thumbnails will open a full list of all of the permissions that the Facebook App will request from your Android phone.

It is important to distinguish between what Facebook intend to do with these permissions and what they can do with these permissions. They may promise to behave and not do anything sneaky but they are not perfect and they make mistakes. Furthermore if Facebook are ever compromised (if you think it couldn’t happen the recent news is awash with enormous companies1 falling foul2 of hackers3) then whoever attacks them would inherent all of the same controls over Android as you have permitted for the Facebook App.

It is likely that the App for iPhone, Blackberry et al will request the same permissions but I’ve not checked. If you happen to know about any other OS I’d be happy to hear from you in the comments down below…

  • Your Messages

    • Edit SMS or MMS, read SMS or MMS, receive SMS – This relates to an intention from Facebook to become a single unified messaging service where all of your IMs, emails and messages are handled through one portal, personally I have separate accounts and communication channels for very good reasons and I should not have to hand over control of those separations to a company that has proven repeatedly to put its users privacy low on their list of priorites
  • Storage

    • Modify/delete SD card contents – This is fairly typical and allows the App to store Facebook content to Android to improve performance and to make the content available when you’re not connected
  • System tools

    • Prevent phone from sleeping – This annoys me, it’s no secret that battery performance on modern smart phones is pretty poor, this goes for iPhone as well as Android, it should be up to me to choose whether to trade off battery life for convenience not Facebook
    • Read sync settings – This is fairly harmless by itself and without Write access it would be useless to Facebook
    • Write sync settings – This annoys me, if I disable automatic synchronising to maximise my battery life then it should stay disabled until I decide to enable it
  • Your location

    • Fine (GPS) location – This is fairly typical and is used to provide features like check-in and places, this raises concerns over privacy and tracking but that’s a very different discussion
  • Services that cost you money

    • Send SMS messages – This relates to the earlier Message permissions although the risk of a compromise racking up huge bills with premium rate text messages is worrying
  • Your accounts

    • Act as an account authenticator, Manage the accounts list, Discover known accounts – While account permissions are necessary for the App to authenticate against Facebook on your behalf I think it is a failing from Android that these permissions are not more granular, from these titles it seems that the App will have permission over ALL accounts that are added to Android
  • Your personal information

    • Read contact data, Write contact data – While this is fairly typical of Android Apps I don’t think that anyone other than myself should be able to change my personal information on Android, it is however fairly harmless
  • Phone calls

    • Read phone state and identity – This is fairly typical and it allows Facebook to identify you or more specifically to identify your Android handset, for some however this raises concerns over tracking and privacy but if that’s the case you probably shouldn’t be on Facebook to begin with
  • Network Communication

    • Full internet access – This is fairly typical and the App wouldn’t be able to communicate with Facebook without it
    • Receive data from Internet – This is intended to provide push-notifications so that new messages are instantly received but it could be used to push anything down to your Android, including malware or spyware that could take advantage of all of these permissions and data points, having an automated sync schedule to poll for new messages every few minutes should be sufficient and then this permission would not be needed
    • View network status – I’m not sure on the purpose of this
  • Hardware controls

    • Control vibrator – This is fairly typical and is used to provide notification of messages received, one comment however is that as the owner of the phone I should be able to disable this

 

Original Article – Facebook App for Android, v1.6.0, June 2011

Facebook Android App PermissionsI’ve just received an update alert on my Android phone which means that there is an update for an application that I have installed but it needs my approval for new permissions.  The application update is for “Facebook for Android” 1.6.0 and the list of permissions that the application is asking for is quite frankly shocking.

Click the image here to see a full screen shot of the update request.  Below is a full list of the permissions requested, with my comments on what I think of each permission…

  • Your personal information
    • Read contact data – This is reasonable.
    • Write contact data – Why do Facebook want to change my own personal details on my own personal phone?  What will the change the details to?
  • Services that cost you money
    • Send SMS messages – Er, no.  I’m not giving any application permission to do anything that will cost me money.  I’m not saying I don’t trust Facebook, but I don’t trust Facebook.
  • Your location
    • Fine (GPS) location – This is reasonable, it’s used for Facebook check-in services if you choose to use such things.
  • Your messages
    • Edit SMS or MMS – How will Facebook edit my messages?  If I read a message then I want to know that it’s the same message that was sent to me and not one that may or may not have been altered in some undefined way by Facebook.
    • Read SMS or MMS – My SMS text messages exist outside of Facebook.  There is a reason for this.  I know that Facebook are trying to merge all communications into one place but this should be my choice
    • Recieve SMS – This is what allows Facebook to intercept my messages, read them and edit them.   Absolutely not going to happen.
  • Network communication
    • Allows the application to accept cloud to device messages from the application’s service – So Facebook can send any data or instruction to my mobile phone at any time?  What sort of data or instructions will they be sending?
    • Full internet access – This is reasonable, in fact this is about the only permission that the application SHOULD actually need
  • Your accounts
    • Act as an account authenticator – Almost reasonable, it allows the application to log in as you.
    • Manage the accounts list – All accounts? No.  Why does Facebook think it has the right to access/authenticate any of my accounts other than Facebook?
  • Phone calls
    • Read phone state and identity – Almost reasonable, it allows the application to know if you’re talking on the phone before raising notifications but it also means that Facebook can uniquely identify your handset and I can’t think of any reason why that should matter.
  • System tools
    • Prevent phone from sleeping – This is just annoying, stopping your phone from going into sleep mode causes a drain on the battery.
    • Write sync settings – This is also annoying, you can improve battery performance by limiting sync operations to only when you want them to happen but this gives up any control and again causes a drain on the battery.

Unfortunately the only options are to accept all or nothing so for me for now, it’s nothing. There are applications that purportedly allow granular control over permissions (LBE privacy guard is one example) but I’ve not explored these yet. If I find an alternative or a solution then I’ll update this post…

Of course it is entirely up to you whether you’re happy to hand over this level of control and access to your phone and personal data but I’d question how far Facebook will go, what else they might do and what would happen if they were ever compromised (the news is rife with big names falling foul of hackers seemingly every week).

I’d be interested to hear whether you’ve accepted this upgrade, whether you share my concerns over privacy and whether the iPhone app is as bold on permissions as the Android app…

9 thoughts on “Facebook Android App Permissions

  1. Michael

    I installed Facebook for Android, but only because I have a app called “LBE Privacy Guard”. It requires root access but allows me to deny permissions I deem harmful.

    1. thegaryhawkins Post author

      Hi Michael, Thanks for taking the time to comment. I’ve heard of LBE being recommended before but I’ve not tried it yet, it’s a shame that such apps are necessary.

  2. Moritz

    Does LBE Privacy Guard work without complications even if Facebook is integrated in the Android System itself? Because I still use an old Facebook App that doesn’t use all these permissions but I think about upgrading to a newer version. Still I want it to be integraded in the System because that way it doesn’t seem to use all that much phome storage. Even using force2sd only makes the app use half the phone storage which still is about 3Mb at the vesion I’m using.

    1. thegaryhawkins Post author

      Hi Moritz, I’ve not had a chance to test LBE yet but from the comments its AppMarket page it seems to be quite flaky https://market.android.com/details?id=com.lbe.security&hl=en
      The way I understand it, the Facebook app should work the same as any other app, the level of integration is really just down to the permissions and API links. Personally I use the standard web browser for Facebook, the mobile web version works fine for me although there are some drawbacks which some might not be happy with; in particular are contacts sync and easy photo upload.

      Hope this helps. If I get round to testing LBE I’ll be sure to post something here 🙂 have a nice day!

  3. Yaser

    nice to see some one talking about this, i have this issue still, and i am refusing to upgrade the version i have. and if it wont work probably in future i will switch to the browser.
    the most annoying over all those permissions, that they dont explain why they need them !
    i mean come on, do you think people are fools ?

    keep us updated in case you got more information.

    Cheers,

  4. thegaryhawkins Post author

    for anyone tracking comments on this article (Facebook Android App Permissions) I’ve updated the post with the latest app version 1.8.0 released 1st December 🙂

  5. Tony

    Good article. I installed Facebook and had this question in mind of why it needs to read / write /send sms. Uninstalling.

    Cheers,

  6. keelie Mccoy

    I have just updated my Facebook application on my Samsung galaxy Apollo and i was wondering if i could go back to the last version as being nothing but trouble with the update. How do i get the old version back x

    1. thegaryhawkins Post author

      Hi Keelie, I’m afraid that’s not a straight forward option provided on Android as standard, but it can be done with a bit of fiddling.

      First you’ll need to uninstall the current version of the Facebook App (Settings -> Applications -> Manage Applications -> Facebook -> Uninstall)

      Then you’ll need to find the installation file for an older version.
      I don’t have this available to share and I don’t know of any reputable archived software servers. You should be very careful about downloading software from anywhere other than the approved Android App market because the package may have been tampered with to contain malware. If you want to go down this road then the installation files have a .APK extension and you’ll be looking for version 1.8.3 or 1.8.2

      Worst case scenario I’ve found the mobile web version on the Android standard browser to be quite usable. Please come back and let me know how you get on…

Comments are closed.