or Connect
AppleInsider › Forums › Mobile › iPhone › Most popular Android app caught harvesting users contacts: Facebook
New Posts  All Forums:Forum Nav:

Most popular Android app caught harvesting users contacts: Facebook

post #1 of 70
Thread Starter 
Facebook, the top-ranking free app in Google Play, has taken advantage of Android's weak platform security to collect users' phone numbers as soon as the app is installed, highlighting core differences in Apple's approach to protecting users' privacy and those of social-advertising firms like Facebook and Google.

Google Play


The news of Facebook's latest "leak" was outed by Symantec after it analyzed various Android apps using its Norton Mobile Insight tool designed to "discover malicious applications, privacy risks, and potentially intrusive behavior."

Symantec didn't need to dig deep into Google Play to find pay dirt, but its researchers still noted that it "even surprised us when we reviewed the most popular applications exhibiting privacy leaks."

The firm stated, "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.""Unfortunately, the Facebook application is not the only application leaking private data or even the worst" - Symantec

Just one week ago, Facebook users found that it was possible to download private information from people who had "some connection to them," even when that data had not been intentionally shared with Facebook. That illuminated the company's efforts to secretly collect all kinds of data in its social graph to improve its advertising and friend recommendations, beyond the details intentionally shared by members.

Because the various versions of Android have no coherent security policy regarding the sharing of personal data without the user's permission, Facebook's "automatic sharing" in its Android app affects everyone, even iOS users with Android friends.

Symantec said it "reached out" to Facebook, which it said "investigated the issue and will provide a fix in their next Facebook for Android release." Facebook denied that it was collecting the data for actual use and stated that it had deleted the information from its servers.

"Unfortunately, the Facebook application is not the only application leaking private data or even the worst," Symantec noted. "We will continue to post information about risky applications to this blog in the upcoming weeks." In the mean time, the firm recommends that Android users download its tool to see which Android apps are "leaking" private information.

Apple's Walled Garden



Apple's "walled garden" approach to its mobile platform has long erected barriers for app developers, forcing them to request permission before collecting the user's location data, well before anyone anticipated that developers would broadly harvest location data.

Last year, Apple's iOS 6 similarly began to block unauthorized access to Contacts after Path was found to be unloading users' address books without asking. One year later, 96 percent of iOS users are on the latest version and protected by the security enhancement.

Mobile OS installed base stats


Due to fragmentation on even new Android phones, Google's platform can't be similarly secured even if it were in Google's interests to stop app developers from sharing users' private data for advertising and social recommendation purposes.

Apple's app model on iOS has always blocked third party apps from collecting data from other apps or reading other apps' files that aren't expressly accessed by the user. The company has also worked to protect users' privacy when browsing, turning off injected cookie tracking by default in Safari.

That practice has stymied the efforts of advertising networks to build dynamic Facebook-style dossiers on individuals for ad tracking and behavior purposes, something that bothered Google so much that it simply ignored the security settings to collect data for ads and Google+, eventually resulting in the largest fine in FTC history.

Corporations' end run around Constitutional rights



Recent leaks describing corporate cooperation with government requests for private information have highlighted how businesses that collect large amounts of data for marketing, social graph or other purposes are effectively creating huge repositories for governments to tap into, often with minimal oversight in place to prevent abuses.

Public concerns about the U.S. government's spying programs have reached a fevered pitch so high that Ars recently launched an investigation into whether Apple's iMessage, an encrypted enhancement that provides far more security than plain text SMS messages, could potentially be "spied upon" by Apple itself, something the company has said it simply does not do.

"Apple has always placed a priority on protecting our customers? personal data" the company had stated earlier, "and we don?t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it."

No comment was made in the article about the complete lack of messaging security on other mobile platforms where SMS messaging isn't encrypted at all, including Android and Windows Mobile.

Encryption does appear to be having an impact on government efforts to police via wiretaps however. A report this week by David Kravets of Wired cited a document by the U.S. Administrative Office of the Courts which noted:"the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

"Encryption was reported for 15 wiretaps in 2012 and for 7 wiretaps conducted during previous years. In four of these wiretaps, officials were unable to decipher the plain text of the messages. This is the first time that jurisdictions have reported that encryption prevented officials from obtaining the plain text of the communications since the AO began collecting encryption data in 2001."

Kravets wrote that "the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

He also pointed out that "97 percent of the wiretaps issued last year were for 'portable devices' such as mobile phones and pagers," and "about 87 percent of the wiretaps were issued in drug-related cases."
post #2 of 70
Pagers? Was this article written in 1993?
post #3 of 70
MSM: nothing to see here. Move along. We could rag on Facebook, but no one trusts them anyway.
post #4 of 70
Pot kettle.
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
post #5 of 70

This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android.  iOS has had its own cases of FUBARs in this exact type of thing as well.

 

The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.

post #6 of 70

So how's that open platform thing workin' out for ya?

post #7 of 70
Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #8 of 70
Third article in a row with a specious connection to being even Apple rumor, much less news and the fourth that is nothing but hit whoring.

Did everyone go on vacay and leave DED in charge.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #9 of 70
The thing is, "functionality" like this doesn't happen by accident. It doesn't get programmed without absolute and clear intent.

So, Facebook covering and backpedaling by "investigating" and claiming they've deleted all the gathered data is hooey. just like there's no-one checking to see how egregious these apps behave, there's also no-one checking the veracity of those claims. Just saying they have doesn't mean they have.

If someone actually had a way to check it, they'd no doubt find something, and all FB would have to do then is walk it back by saying something like, "oh, we overlooked a few, we'll take care of that right away"%u2026

By then, the data has been resold and redistributed widely. Nothing to be done about it by then%u2026

Yet another event reinforcing my decision to remove all my 'data' from FB 18 months ago, logout, and to never look back.
post #10 of 70

Wow! Stealing people's phone numbers? lol.gif

 

I am so glad that I am not on Facebook and even more glad that I am not on Android. What a freakin' nightmare and disaster.

post #11 of 70
Quote:
Originally Posted by Suddenly Newton View Post

Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.

Mostly agree, except for the solution (which I also agree with in principle, but…).

 

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

post #12 of 70
Quote:
Originally Posted by Steven N. View Post

This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android.  iOS has had its own cases of FUBARs in this exact type of thing as well.

 

The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.

 

They're not "equally guilty." Android is far MORE guilty.

 

The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

 

For instance: Facebook couldn't do this on iOS.

post #13 of 70

Cue the congressional hearings . . . not holding my breath on that one.

post #14 of 70

The culprit here is Facebook. It's not true that no one trusts it. Those who deny Facebook's popularity are demonstrating ignorance.

post #15 of 70
Quote:
Originally Posted by nagromme View Post

 

They're not "equally guilty." Android is far MORE guilty.

 

The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

 

For instance: Facebook couldn't do this on iOS.

 

http://gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it

post #16 of 70
Quote:
Originally Posted by stelligent View Post

The culprit here is Facebook. It's not true that no one trusts it. Those who deny Facebook's popularity are demonstrating ignorance.

There are certainly a lot of people who bash Facebook, including me, but who is denying it's popularity? Facebook has a lot of users, but so what?

 

If ten people jump off a bridge, am I going to follow their lead? lol.gif

post #17 of 70
I don't get it, if you're an Android user you're already sharing your contacts with Google. Sharing them with Facebook too is no more or less of a privacy violation at that point, so what's the problem?
post #18 of 70
Quote:
Originally Posted by Apple ][ View Post

Wow! Stealing people's phone numbers? lol.gif

 

I am so glad that I am not on Facebook and even more glad that I am not on Android. What a freakin' nightmare and disaster.

Me too. SJ said FB's conditions were "too onerous!" That's good enough for me. 

post #19 of 70

I went to install the FB app on my android phone once until I saw all the unnecessary permissions it wanted.  I decided to instead use FB thru the Chrome browser.  I don't really care if FB has my number, but they can't have full access to my phone.


Edited by DroidFTW - 7/1/13 at 3:43pm
post #20 of 70
Quote:
Originally Posted by tribalogical View Post

Mostly agree, except for the solution (which I also agree with in principle, but…).

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

You are correct, that is a valid option.

However, IF (1) users don't agree to the terms and conditions of use until they first use (launch) the app, and (2) the app harvests your data when you install it, (as the poorly-worded article states), but before you can consent to the terms and conditions of use, then Facebook is wrong.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #21 of 70

I wouldn't bee too sure even about the Apple Facebook implementation, I had students I work with in my lab suggested for "friending" when I've deliberately never put in my employment or university affiliation. EVER and they have zero association with anyone I had listed as friends. Maybe they're suggesting people that run off the same WiFi network? As would be the case in the lab....

post #22 of 70
Funny how some posters are denying that this is screwed up....
Facebook intentionally is hiding accessing contacts and getting numbers with out permission.
No that is not a problem... It is ok... While they are at it why dont they try to access all your pass codes to banks and all.
Android is not secure and Facebook took advantage of that and the enduser is compromised!
On the other hand they were not able to pull that off on ios ....
If u dont see the difference.. ..... Well as the say " there is no cure for ....."
post #23 of 70
Quote:
Originally Post by ktappe View Post

So how's that open platform thing workin' out for ya?

Read post #6 and stop trollling.

post #24 of 70
I'm tired of companies trying to get off when caught by claiming they have "deleted the information from its servers" because I bet dollars to donuts ALL that information is still contained in every single database backup they've made, and when those backups get restored or reused to populate a bid-data server for analysis, all that data that they have "deleted" is right there.
post #25 of 70
Quote:
Originally Posted by nagromme View Post

 

They're not "equally guilty." Android is far MORE guilty.

… ..e fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

 

For instance: Facebook couldn't do this on iOS.

Really? Did you write code for Facebook for Android that you speak with such authority? If yes then...

post #26 of 70
Quote:
Originally Posted by gregord View Post

Pagers? Was this article written in 1993?

 

FYI: Pagers were huge as late as 1999.

post #27 of 70
Quote:
Originally Posted by andrzejls View Post

Really? Did you write code for Facebook for Android that you speak with such authority? If yes then...

 

Go read the APIs differences between the models. I'll take iOS any day of the week.

post #28 of 70
Quote:
Originally Posted by Yojlance
07 View Post

Funny how some posters are denying that this is screwed up....
Facebook intentionally is hiding accessing contacts and getting numbers with out permission.
No that is not a problem... It is ok... While they are at it why dont they try to access all your pass codes to banks and all.
Android is not secure and Facebook took advantage of that and the enduser is compromised!
On the other hand they were not able to pull that off on ios ....
If u dont see the difference.. ..... Well as the say " there is no cure for ....."

I guess you failed to check out link in post #15. Please do your homework before you shut yourself in the foot,  will you?

post #29 of 70
Quote:
Originally Posted by mdriftmeyer View Post

 

Go read the APIs differences between the models. I'll take iOS any day of the week.

 

 

Quote:
Originally Posted by mdriftmeyer View Post

 

Go read the APIs differences between the models. I'll take iOS any day of the week.

So am I,  but you did not address question on hand,  did you?

post #30 of 70
Yawn, I see the usual brigade are here with their denials and excuses.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #31 of 70
Quote:
Originally Posted by os2baba View Post

Gizmodo... Blah, blah, blah

Really? You're citing Gizmodo as a reliable source? They've had a massive chip on their shoulder ever since the iPhone 4 incident. They bash Apple at the drop of hat. Not saying it may not be happening with iOS too, but Gizmodo's not what I would call impartial and objective.
post #32 of 70
I'm seriously concerned about the emerging information economy. The longer practices like this are in place the more they are normalised, and and it becomes increasingly difficult to claw back. Currently we have software demanding carte blanch access to user information, even information that is not relevant to the provision of the service.
 
If companies exist to create profit we can't expect them to be more ethical than the framework we set for them. Regardless of whether they want t, in order to remain competitive they have to play this game. The responsibility to legislate a minimum acceptable standard falls to us.
 
The only thing software should demand from a user in order to function is a cash fee. It has no right to hold us to ransom over a real name, contact information or anything else (if the user declines).
post #33 of 70
Quote:
Originally Posted by nagromme View Post

That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

 

"All substances are poisons. There is none which is not a poison. The right dose differentiates a poison and a remedy."

 

Paracelsus: 1493 - 1541

post #34 of 70
Quote:
Originally Posted by Yojimbo007 View Post

Facebook intentionally is hiding accessing contacts and getting numbers with out permission.

 

They're not hiding it.  Here's the list of permissions that you are presented with and have to allow the FB app in order to install it.  BTW, a list this long is relatively unheard of for an android app.

 

Permissions

This application has access to the following:

  • Your accounts
    create accounts and set passwords
    Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
    add or remove accounts
    Allows the app to perform operations like adding and removing accounts, and deleting their password.
  • Your location
    approximate location (network-based)
    Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine approximately where you are.
    precise location (GPS and network-based)
    Allows the app to get your precise location using the Global Positioning System (GPS) or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are, and may consume additional battery power.
  • Network communication
    full network access
    Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
  • Phone calls
    directly call phone numbers
    Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Note that this doesn't allow the app to call emergency numbers. Malicious apps may cost you money by making calls without your confirmation.
    read phone status and identity
    Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
  • Storage
    modify or delete the contents of your USB storage
    Allows the app to write to the USB storage.
  • System tools
    install shortcuts
    Allows an app to add shortcuts without user intervention.
    read battery statistics
    Allows an application to read the current low-level battery use data. May allow the application to find out detailed information about which apps you use.
  • Your applications information
    retrieve running apps
    Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device.
  • Camera
    take pictures and videos
    Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
  • Other Application UI
    draw over other apps
    Allows the app to draw on top of other applications or parts of the user interface. They may interfere with your use of the interface in any application, or change what you think you are seeing in other applications.
  • Microphone
    record audio
    record audio
  • Your social information
    write call log
    Allows the app to modify your device's call log, including data about incoming and outgoing calls. Malicious apps may use this to erase or modify your call log.
    read your contacts
    Allows the app to read data about your contacts stored on your device, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.
    modify your contacts
    Allows the app to modify the data about your contacts stored on your device, including the frequency with which you've called, emailed, or communicated in other ways with specific contacts. This permission allows apps to delete contact data.
    read call log
    Allows the app to read your device's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
  • Your accounts
    find accounts on the device
    Allows the app to get the list of accounts known by the device. This may include any accounts created by applications you have installed.
  • Network communication
    view Wi-Fi connections
    Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.
    view network connections
    Allows the app to view information about network connections such as which networks exist and are connected.
    receive data from Internet
    Allows apps to accept cloud to device messages sent by the app's service. Using this service will incur data usage. Malicious apps could cause excess data usage.
    download files without notification
    Allows the app to download files through the download manager without any notification being shown to the user.
  • System tools
    test access to protected storage
    Allows the app to test a permission for USB storage that will be available on future devices.
    read Home settings and shortcuts
    Allows the app to read the settings and shortcuts in Home.
  • Affects Battery
    prevent device from sleeping
    Allows the app to prevent the device from going to sleep.
    control vibration
    Allows the app to control the vibrator.
  • Your applications information
    run at startup
    Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.
    reorder running apps
    Allows the app to move tasks to the foreground and background. The app may do this without your input.
  • Audio Settings
    change your audio settings
    Allows the app to modify global audio settings such as volume and which speaker is used for output.
  • Sync Settings
    toggle sync on and off
    Allows an app to modify the sync settings for an account. For example, this can be used to enable sync of the People app with an account.
    read sync settings
    Allows the app to read the sync settings for an account. For example, this can determine whether the People app is synced with an account.
post #35 of 70
Quote:
Originally Posted by DroidFTW View Post

 

They're not hiding it.  Here's the list of permissions that you are presented with and have to allow the FB app in order to install it.  BTW, a list this long is relatively unheard of for an android app.

 

[snip]

 

I don't use FB, and have no interest in doing so.  But can someone, anyone explain to me why 90% of this stuff would be necessary for a FB app?

post #36 of 70
Quote:
Originally Posted by tribalogical View Post

Mostly agree, except for the solution (which I also agree with in principle, but…).

 

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

 

I just log into FB through Chrome.  The permissions required are clearly listed before the app is installed.  Not all developers are this invasive, and there's a plethora of apps which are much more privacy friendly.  So, I guess your guess is not very accurate.

post #37 of 70
Quote:
Originally Posted by AaronJ View Post

 

I don't use FB, and have no interest in doing so.  But can someone, anyone explain to me why 90% of this stuff would be necessary for a FB app?

 

It's not necessary, FB just wants user data and knows that there's a lot of dumb people out there that will not pay attention to the massive list of required permissions.  As evidenced by the few responses here, it is clear though that many of us know better and actively avoid these invasive apps.

post #38 of 70
Quote:
Originally Posted by Neo42 View Post

 

It's not necessary, FB just wants user data and knows that there's a lot of dumb people out there that will not pay attention to the massive list of required permissions.  As evidenced by the few responses here, it is clear though that many of us know better and actively avoid these invasive apps.

 

Basically what I thought, but wanted to know if I missed anything.  Heh.

post #39 of 70
I use a permission manager that I can choose what an app can and can't have access to. Google should bake it into Android to avoid this sort of problems. It'll also fix some malware problems.
post #40 of 70
Quote:
Originally Posted by koop View Post

Article is the equivalent of an Apple fanboy sticking his tongue out at Android fanboys. classy.

 

 

Actually it's not.  It tells me that even if I chose to use iOS to protect my privacy because I prefer it's security options that doesn't exempt me from stories like this.  I'm not in control of some of my data when my best Android using friends have my phone number, personal email address, my physical address, etc. in their contacts and then they run something like this Facebook app.  Data I've taken extra steps to keep out of Facebook's grubby hands has now possibly been uploaded to their great big private info vacuum in the clouds.  Frankly that pisses me off.
"Don't ask for whom the bell tolls … it tolls for thee!"  It not about iOS vs Android - when crap like this happens we're all compromised and it has to stop.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Most popular Android app caught harvesting users contacts: Facebook