Most popular Android app caught harvesting users contacts: Facebook

Posted:
in iPhone edited January 2014
Facebook, the top-ranking free app in Google Play, has taken advantage of Android's weak platform security to collect users' phone numbers as soon as the app is installed, highlighting core differences in Apple's approach to protecting users' privacy and those of social-advertising firms like Facebook and Google.

Google Play


The news of Facebook's latest "leak" was outed by Symantec after it analyzed various Android apps using its Norton Mobile Insight tool designed to "discover malicious applications, privacy risks, and potentially intrusive behavior."

Symantec didn't need to dig deep into Google Play to find pay dirt, but its researchers still noted that it "even surprised us when we reviewed the most popular applications exhibiting privacy leaks."

The firm stated, "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.""Unfortunately, the Facebook application is not the only application leaking private data or even the worst" - Symantec

Just one week ago, Facebook users found that it was possible to download private information from people who had "some connection to them," even when that data had not been intentionally shared with Facebook. That illuminated the company's efforts to secretly collect all kinds of data in its social graph to improve its advertising and friend recommendations, beyond the details intentionally shared by members.

Because the various versions of Android have no coherent security policy regarding the sharing of personal data without the user's permission, Facebook's "automatic sharing" in its Android app affects everyone, even iOS users with Android friends.

Symantec said it "reached out" to Facebook, which it said "investigated the issue and will provide a fix in their next Facebook for Android release." Facebook denied that it was collecting the data for actual use and stated that it had deleted the information from its servers.

"Unfortunately, the Facebook application is not the only application leaking private data or even the worst," Symantec noted. "We will continue to post information about risky applications to this blog in the upcoming weeks." In the mean time, the firm recommends that Android users download its tool to see which Android apps are "leaking" private information.

Apple's Walled Garden

Apple's "walled garden" approach to its mobile platform has long erected barriers for app developers, forcing them to request permission before collecting the user's location data, well before anyone anticipated that developers would broadly harvest location data.

Last year, Apple's iOS 6 similarly began to block unauthorized access to Contacts after Path was found to be unloading users' address books without asking. One year later, 96 percent of iOS users are on the latest version and protected by the security enhancement.

Mobile OS installed base stats


Due to fragmentation on even new Android phones, Google's platform can't be similarly secured even if it were in Google's interests to stop app developers from sharing users' private data for advertising and social recommendation purposes.

Apple's app model on iOS has always blocked third party apps from collecting data from other apps or reading other apps' files that aren't expressly accessed by the user. The company has also worked to protect users' privacy when browsing, turning off injected cookie tracking by default in Safari.

That practice has stymied the efforts of advertising networks to build dynamic Facebook-style dossiers on individuals for ad tracking and behavior purposes, something that bothered Google so much that it simply ignored the security settings to collect data for ads and Google+, eventually resulting in the largest fine in FTC history.

Corporations' end run around Constitutional rights

Recent leaks describing corporate cooperation with government requests for private information have highlighted how businesses that collect large amounts of data for marketing, social graph or other purposes are effectively creating huge repositories for governments to tap into, often with minimal oversight in place to prevent abuses.

Public concerns about the U.S. government's spying programs have reached a fevered pitch so high that Ars recently launched an investigation into whether Apple's iMessage, an encrypted enhancement that provides far more security than plain text SMS messages, could potentially be "spied upon" by Apple itself, something the company has said it simply does not do.

"Apple has always placed a priority on protecting our customers? personal data" the company had stated earlier, "and we don?t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it."

No comment was made in the article about the complete lack of messaging security on other mobile platforms where SMS messaging isn't encrypted at all, including Android and Windows Mobile.

Encryption does appear to be having an impact on government efforts to police via wiretaps however. A report this week by David Kravets of Wired cited a document by the U.S. Administrative Office of the Courts which noted:"the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

"Encryption was reported for 15 wiretaps in 2012 and for 7 wiretaps conducted during previous years. In four of these wiretaps, officials were unable to decipher the plain text of the messages. This is the first time that jurisdictions have reported that encryption prevented officials from obtaining the plain text of the communications since the AO began collecting encryption data in 2001."

Kravets wrote that "the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

He also pointed out that "97 percent of the wiretaps issued last year were for 'portable devices' such as mobile phones and pagers," and "about 87 percent of the wiretaps were issued in drug-related cases."
«134

Comments

  • Reply 1 of 73
    gregordgregord Posts: 36member
    Pagers? Was this article written in 1993?
  • Reply 2 of 73
    jungmarkjungmark Posts: 6,529member
    MSM: nothing to see here. Move along. We could rag on Facebook, but no one trusts them anyway.
  • Reply 3 of 73
    irelandireland Posts: 17,092member
    Pot kettle.
  • Reply 4 of 73
    steven n.steven n. Posts: 1,006member


    This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android.  iOS has had its own cases of FUBARs in this exact type of thing as well.


     


    The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.

  • Reply 5 of 73
    ktappektappe Posts: 745member


    So how's that open platform thing workin' out for ya?

  • Reply 6 of 73
    suddenly newtonsuddenly newton Posts: 13,707member
    Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.
  • Reply 7 of 73
    charlitunacharlituna Posts: 7,162member
    Third article in a row with a specious connection to being even Apple rumor, much less news and the fourth that is nothing but hit whoring.

    Did everyone go on vacay and leave DED in charge.
  • Reply 8 of 73
    tribalogicaltribalogical Posts: 1,160member
    The thing is, "functionality" like this doesn't happen by accident. It doesn't get programmed without absolute and clear intent.

    So, Facebook covering and backpedaling by "investigating" and claiming they've deleted all the gathered data is hooey. just like there's no-one checking to see how egregious these apps behave, there's also no-one checking the veracity of those claims. Just saying they have doesn't mean they have.

    If someone actually had a way to check it, they'd no doubt find something, and all FB would have to do then is walk it back by saying something like, "oh, we overlooked a few, we'll take care of that right away"%u2026

    By then, the data has been resold and redistributed widely. Nothing to be done about it by then%u2026

    Yet another event reinforcing my decision to remove all my 'data' from FB 18 months ago, logout, and to never look back.
  • Reply 9 of 73
    apple ][apple ][ Posts: 8,360member


    Wow! Stealing people's phone numbers? image


     


    I am so glad that I am not on Facebook and even more glad that I am not on Android. What a freakin' nightmare and disaster.

  • Reply 10 of 73
    tribalogicaltribalogical Posts: 1,160member

    Quote:

    Originally Posted by Suddenly Newton View Post



    Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.


    Mostly agree, except for the solution (which I also agree with in principle, but…).


     


    You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

  • Reply 11 of 73
    nagrommenagromme Posts: 2,834member

    Quote:

    Originally Posted by Steven N. View Post


    This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android.  iOS has had its own cases of FUBARs in this exact type of thing as well.


     


    The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.



     


    They're not "equally guilty." Android is far MORE guilty.


     


    The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.


     


    For instance: Facebook couldn't do this on iOS.

  • Reply 12 of 73
    rob bonnerrob bonner Posts: 230member


    Cue the congressional hearings . . . not holding my breath on that one.

  • Reply 13 of 73
    stelligentstelligent Posts: 2,680member


    The culprit here is Facebook. It's not true that no one trusts it. Those who deny Facebook's popularity are demonstrating ignorance.

  • Reply 14 of 73
    os2babaos2baba Posts: 262member

    Quote:

    Originally Posted by nagromme View Post


     


    They're not "equally guilty." Android is far MORE guilty.


     


    The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.


     


    For instance: Facebook couldn't do this on iOS.



     


    http://gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it

  • Reply 15 of 73
    apple ][apple ][ Posts: 8,360member

    Quote:

    Originally Posted by stelligent View Post


    The culprit here is Facebook. It's not true that no one trusts it. Those who deny Facebook's popularity are demonstrating ignorance.



    There are certainly a lot of people who bash Facebook, including me, but who is denying it's popularity? Facebook has a lot of users, but so what?


     


    If ten people jump off a bridge, am I going to follow their lead? image

  • Reply 16 of 73
    bigmigbigmig Posts: 77member
    I don't get it, if you're an Android user you're already sharing your contacts with Google. Sharing them with Facebook too is no more or less of a privacy violation at that point, so what's the problem?
  • Reply 17 of 73
    christopher126christopher126 Posts: 3,920member

    Quote:

    Originally Posted by Apple ][ View Post


    Wow! Stealing people's phone numbers? image


     


    I am so glad that I am not on Facebook and even more glad that I am not on Android. What a freakin' nightmare and disaster.



    Me too. SJ said FB's conditions were "too onerous!" That's good enough for me. 

  • Reply 18 of 73
    droidftwdroidftw Posts: 1,009member


    I went to install the FB app on my android phone once until I saw all the unnecessary permissions it wanted.  I decided to instead use FB thru the Chrome browser.  I don't really care if FB has my number, but they can't have full access to my phone.

  • Reply 19 of 73
    suddenly newtonsuddenly newton Posts: 13,707member
    Mostly agree, except for the solution (which I also agree with in principle, but…).

    You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

    You are correct, that is a valid option.

    However, IF (1) users don't agree to the terms and conditions of use until they first use (launch) the app, and (2) the app harvests your data when you install it, (as the poorly-worded article states), but before you can consent to the terms and conditions of use, then Facebook is wrong.
  • Reply 20 of 73
    jfc1138jfc1138 Posts: 3,090member


    I wouldn't bee too sure even about the Apple Facebook implementation, I had students I work with in my lab suggested for "friending" when I've deliberately never put in my employment or university affiliation. EVER and they have zero association with anyone I had listed as friends. Maybe they're suggesting people that run off the same WiFi network? As would be the case in the lab....

Sign In or Register to comment.