Facebook Messenger and Google Hangouts

We put Facebook's much-maligned messaging app permissions up against Google's Hangouts app

Not to belabor the point — because I think most everyone who read our takedown of all the FUD and confusion surrounding the ill-informed stories about Facebook Messenger got it — but here's an interesting exercise. We recently recommended that when you have questions about the permissions an application is declaring, you should look at a similar app. It might not tell you the whole story, but it should give you a pretty good idea of whether an app has the power to do something nefarious.

If, say, one wallpaper application has the ability to make phone calls and another doesn't, you need to look for why it needs that ability. Make sense?

So let's put Facebook Messenger up against another popular messaging app — Google Hangouts. If you somehow haven't used Hangouts before, it's Google's messaging service, and it also now is Google's preferred text messaging app. (Though you'll still find other messaging apps on most manufacturers' phones, even if they have Hangouts installed.)

Let's put the permissions side by side — as copied directly from Google Play — and see what it looks like. All in the name of science.

Identity

Facebook Messenger Google Hangouts
Find accounts on the device Find accounts on the device
Read your own contact card Add or remove accounts

Looks a little like Google Hangouts has just a little more power there, with the ability to add or remove accounts. Not anything we'd be worried about, though. It's the sort of thing you'd expect to see in a Google service app.

Contacts/calendar

Facebook Messenger Google Hangouts
Read your contacts Read your contacts
Modify your contacts

So Google Hangouts has the added ability of being able to modify your contacts and not just read them. Facebook Messenger can only read your contacts.

Location

Facebook Messenger Google Hangouts
Approximate location (network-based) Approximate location (network-based)
Precise location (GPS and network-based) Precise location (GPS and network-based)

This one, unsurprisingly, is dead even. Pretty standard stuff for finding your location, really. And both apps allow you to attach your location to a message. (Hangouts, though, requires you to add it yourself, whereas Facebook Messenger shares your location in every new message by default. Here's how to turn that off.)

SMS (text messaging)

Facebook Messenger Google Hangouts
edit your text messages (SMS or MMS) read your text messages (SMS or MMS)
receive text messages (SMS) receive text messages (SMS)
read your text messages (SMS or MMS) send SMS messages
send SMS messages edit your text messages (SMS or MMS)
receive text messages (MMS) receive text messages (MMS)

The only interesting here is that Facebook Messenger and Google Hangouts are listing the exact same sub-permissions in slightly different orders. (I have no idea why.) Otherwise, this is exactly what you'd expect to see in a couple apps that serve as text messaging applications.

Phone

Facebook Messenger Google Hangouts
edit your text messages (SMS or MMS) read your text messages (SMS or MMS)
Directly call phone numbers Directly call phone numbers
Read call log

Facebook Messenger can see your call log. Hangouts can't. It'll be interesting to see if that changes if and when Google Voice gets folded in.

Photos/media files

Facebook Messenger Google Hangouts
Test access to protected storage Modify or delete the contents of your USB storage
Modify or delete the contents of your USB storage Test access to protected storage

Again, standard stuff for an application that wants to cache any sort of data instead of re-downloading it again and again. It's just not explained clearly at all.

Camera/microphone

Facebook Messenger Google Hangouts
Take pictures and videos Record audio
Record audio Take pictures and videos

Want to take pictures or video? Want to use the microphone at all? You need these permissions. Standard. Stuff.

Wi-Fi connection information

Facebook Messenger Google Hangouts
View Wi-Fi connections View Wi-Fi connections

Another basic permission shared by both apps, and there are myriad reasons why an app would declare this. Hangouts, for example, needs to move a lot of data if you're making a video call. So it'd want to know if you're on Wifi or a cellular connection.

Device ID & call information

Facebook Messenger Google Hangouts
Read phone status and identity Read phone status and identity

As we've explained before, this is a bad name for a permission that allows a number of low-level things that apps might need. Apps also need it to see if there's an active call. Again, nothing you wouldn't expect in either Facebook Messenger or Hangouts.

Other permissions

Facebook Messenger Google Hangouts
Receive data from Internet receive data from Internet
Download files without notification read instant messages
Run at startup Exchanges messages
and receives sync notifications from Google servers
Prevent device from sleeping full network access
View network connections control vibration
Install shortcuts run at startup
Change your audio settings use accounts on the device
Read Google service configuration view network connections
Draw over other apps control Near Field Communication
Full network access read Google service configuration
Read sync settings prevent device from sleeping
Control vibration change your audio settings
Change network connectivity pair with Bluetooth devices
change network connectivity
send sticky broadcast

There's a lot going on here, we know. But look at how much of it matches up between Facebook Messenger and Hangouts. Messenger has a couple permissions for its Chat Heads feature (draw over other apps and install shortcuts) that Hangouts doesn't, and Hangouts has NFC and Bluetooth permissions, and another one for some Google services, that Facebook lacks.

So what does it it all mean?

Facebook Messenger and Google Hangouts

Not that we really needed any more evidence, but it's pretty plain to see that Facebook Messenger doesn't declare an inordinate amount of permissions — in fact, Google Hangouts has two more, if you're worried about the plus or minus — not that the number of permissions an app declares is indicative of anything other than the app does a lot of things that requires permissions. Nor does Facebook Messenger declare anything that you wouldn't expect to see in a messaging app.

Permissions still are too often misunderstood, but they're getting better.

Using anything on the Internet requires some amount of trust. Permissions show you the broad scope of what an app can do. But, yes, you still must trust that it doesn't do something untoward within those boundaries. Most of us use web pages without watching the developer console or sniffing packets as they fly overhead. And there are still safety catches in place. Phones don't ship with root access. Phones don't ship with "allow installation of apps from unknown sources" checked by default. And if you want to plug in to a computer and have command line access, you're going to need to tick another checkbox and then approve the connection on your phone. And on the app side, we have Google checking not only apps in Google Play for malware, but (if you allow it) apps that have been sideloaded onto your phone.

We're going to continue to see misunderstandings about Android permissions. Some of that is stories that are just looking to cause trouble. But a lot of that also falls on Google's shoulders because of the dry, engineering sort of language used in the describing of the permissions. (Though it does look like Google has quietly removed some of the addition descriptions in permissions. Tapping one no longer pops up more dry language, and that in particular gets rid of the very misunderstood "at any time" clause for things like use of the camera and microphone.) Google will continue to improve and educate, and improve the way it explains things.