Why Facebook Android App needs to read user SMS and MMS?

Pierluigi Paganini February 02, 2014

The last update for the Facebook Android app reads user’s text messages, is it an abuse of privilege or what else? Here you are the truth maybe

A recent update for Facebook Android raised a great concern for user’s privacy because it can read text messages on the smartphone. The climate of suspicion after the revelation on the PRISM program is fueling the debate on the abuse of privileges requested by many mobile applications.

The update for the popular Android app demands access to SMS and MMS messages, the new version of the app was recently released, but the blogger Tony Calileo noted the unusual request from Facebook.

Carlyle wrote a blog post criticizing the request made by the app to access “Your Message”

Facebook Android App SMS MMS permission

“Like most people, I blindly clicked “accept” when prompted for new permissions on Facebook’s Android App update today (Jan 27). Something caught my eye, and after I cancelled the update, I look a screenshot.” said the blogger.” “This is just one of a bunch of new permissions the app is requesting for this update, but it’s probably the most alarming,”

The Android engineer at Facebook, Franci Penov, provided an explanation on Reddit, revealing that the application of the popular social network needs to read messages to implement automatic two-factor authentication.

“As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Android permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number.It’s also worth noting that we would love to be able to ask only for the permissions we need for the specific features particular users uses. For example if you don’t use Facebook events or you don’t want to see them in your device calendar we would prefer to not request theWRITE_CALENDAR calendar; or if you don’t have login approvals and don’t add a phone number, we don’t ask for READ_SMS. However, Android does not allow permission requests on demand; we have to request all permissions that cover each feature at install time, and the users can only grant or deny all of them and have no control over individual permissions.”  said Penov.

When a Facebook user logs in to the platform, it sends an SMS containing the approval code. The Android app captures the text message from the user’s Inbox and uses it to complete the authentication process.

The Facebook Help Centre includes a page to explain which are the privileges requested by the Android app and why it needs it.

The real problem is the compromise between usability and security, I agree with the need to improve the authentication mechanism with a two factor, but is it really necessary to do it automatically?

A two factor authentication is a further protection for users, so why, don’t ask them to manually submit the authentication code?

Mobile platforms are a privileged target for cyber criminals and state-sponsored hackers, security requirements are crucial, but privacy concern is high.

Recently, Facebook was also accused to violate the user’s privacy because it analyzes everything is typed and not publish (self-censorship content), the content users have intentionally chosen not to share.

Users fear Government snooping more than frauds, there is a low perception of cyber threats, but a high attention on alleged technological abuses made by private companies and NSA in the name of the Homeland Security.

(Security Affairs –  Facebook, Android app)

you might also like

leave a comment