Facebook Messenger permissions scare debunked

The FUD is fierce as a 9-month-old story paints a scary — but not really correct — view of Android permissions

You can't swing a dead cat on the Internet these days without running into yet another misguided story about how scary Android is, and about how apps have access to do all sorts of scary-sounding things. Making the rounds this week is the rehashing of a December 2013 Huffington Post story by Sam Fiorella, whose byline paints him as a partner with Sensei Marketing, and author of Influence Marketing. It's a scary-sounding (and recently updated and corrected piece, starting thusly:

How much access to your (and your friends') personal data are you prepared to share for access to free mobile apps? I suspect the amount is significantly less than that which you actually agreed to share when blindly accepting the Terms of Service.Case in point: Facebook's Messenger App, which boasts over 1,000,000,000 downloads, requires the acceptance of an alarming amount of personal data and, even more startling, direct control over your mobile device. I'm willing to bet that few, if any, of those who downloaded this app read the full Terms of Service before accepting them and downloading the app.

Scary stuff, indeed. And this week folks have been blindly reblogging this scary story within an inch of its life, presumably in hopes of keeping scary things from happening and saving the world or something.

Here's the thing, though: These scary stories aren't telling you the whole truth. They're spreading what we call Fear, Uncertainty and Doubt. They're irresponsible, show a distinct lack of knowledge on the way Android permissions work, and frankly they do very little to educate. That's not to say you shouldn't look at an app's permissions before installing it — you absolutely should. But we also need to remember to think about why an app may be declaring the permissions it is.

Let's take a look at what Facebook Messenger is, exactly, up to.

What are Android permissions, and why should you read them?

If you've ever installed an Android app, chances are you've seen its list of declared permissions. Every now and then you'll come across an app that doesn't have to declare any special permissions, but that's generally the exception and not the rule. And moreover, chances are you've quickly tapped through the list of declared permissions so you could just install the damn app. We've all done it. We know better, but we do it.

Permissions are integral to the Android experience. And they're still a little clunky.

So what are permissions? And why does my phone need access to all that stuff? Because they're keeping you safe. Any time an app wants to use a feature that's considered "protected" by the system, it'll have to tell you that it wants to do so. In Android's case, it declares permissions before you install an app. You see them in Google Play. You see them on the device itself any time an app is installed, whether it's from Google Play or somewhere else. If an app wants to use, say, the camera, it must declare it as a permission, otherwise it can't use the camera.

What might an app need permission to access? Your camera, for one. Location via GPS is another. Same for using telephony, network and other data connections (think phone calls, getting online and the like), SMS and MMS (text messaging), and Bluetooth use. If an app wants to use any part of any of those things, it must declare the permission.

And Android has gotten better about permissions as you see them today, simplifying the list and consolidating permissions that shouldn't seem out of the ordinary ("Of course this browser needs Internet access"), making them a little easier to read — but it still has a ways to go in the way it actually explains the permissions. They're still pretty broad and don't really give any insight as to why the app you're installing might need access to those things, and it's not always obvious. They're also still not really written in English (though, again, they're better than they used to be). So they might well sound a little scary, even though they shouldn't be.

And as we're seeing in this latest round of FUD, it's real easy to get folks' knickers in a twist.

Let's look at Facebook messenger's permissions

As we said, you're kind of left to your own devices to decide whether the permissions an app is declaring are scary, or necessary. (Though we'd argue that a company like Facebook probably couldn't get away with sneaking something through for very long, but that's not really the point of this exercise.)

So, let's go through them, one by one, as they're currently listed. (Note that the order is different than what you'll find in that original December 2013 HuffPo FUD piece, and the subsequent reblogs.)

Phone calls

Directly call phone numbers. This one's followed by a yellow "This may cost you money" warning, and a little image of coins, again indicating that it could, potentially, cost you money.
Read phone status and identity.

Why these permissions: Because Facebook messenger can call people. Or, rather, it can initiate a call. If someone has given Facebook their phone number, you'll be able to call them through this app. At the same time, the app has the ability to see what your phone number is.

Texting

Edit your text messages (SMS or MMS)
Read your text messages (SMS or MMS)
Receive text messages (MMS)
Receive text messages (SMS)
Send SMS messages (This may cost you money)

Why these permissions: Facebook Messenger uses an SMS to confirm your phone number when you decide to give it to Facebook. Note how that works in conjunction with the "read phone identity" permission above. Facebook Messenger also allows you to send a text message or MMS to someone who isn't yet on Messenger. (You have to give it access to your contacts, though, for that to work.)

Camera

Take pictures and videos

Why this permission: Facebook Messenger can use the camera to ... wait for it ... take a picture or shoot video.

Microphone

Record audio

Why this permission: Facebook Messenger can use your microphone to ... wait for it ... record a message to send to a friend. Or make phone calls.

Location

Approximate location (network-based)
Precise location (GPS and network-based)

Why these permissions: Because Facebook Messenger, just just about every other social network, uses location for all sorts of things. And there's more than one way to get location on a device.

Contacts

Read call log
Read your contacts
Read your own contact card

Why these permissions: Facebook Messenger is a messenger app, and it has the ability to sync up with your phone contacts. (That's a separate process altogether, but it still has to declare the permission up front if it's going to do any of it from your phone.)

SD card

Modify or delete the contents of your SD card
Read the contents of your SD card

Why these permissions: Facebook's addressed this one directly already regarding its Facebook proper app, but it's also a pretty standard permission for any app that needs to cache data somewhere. In this case, think your friends' contact pictures. Instead of downloading them every time you use the app, which is slow and costs data, it stores them. (And that's just one example.) And "SD card" is a misnomer (and another example of how permissions can be clunky), because it's not actually talking about a physical SD card.

Accounts

Find accounts on the device
Read Google service configuration

Why these permissions: Facebook Messenger is a Facebook app. And you know how you're able to use your Facebook account to sign into other things. (Including our Mobile Nations sites, actually.) And if you look in the main accounts settings on your device, you'll see the Facebook service listed here. Thus, the permission.

Network

Change network connectivity
Download files without notification
Full network access
Receive data from Internet
View network connections
View Wifi connections

Why these permissions: This sort of thing often sounds far more scary than it should. First, the obvious: Facebook Messenger needs a data connection. Full stop. That explains most of that there. As for downloading files without notification, ever wonder how Facebook apps sometimes look different even though you didn't actually update the app? There you go. (Not saying we're a fan of that one, by the way. We'd prefer transparency.)

Other permissions

Run at startup: Facebook Messenger is a messaging app. In order to be effective, it needs to be open. So it sets itself to run at startup in the background.
Draw over other apps: Two words: Chat Heads.
Control vibration/prevent phone from sleeping: Pretty standard for notifications in an app like this.
Read sync settings: Lets the app see if background syncing is on.
Install shortcuts: Again, Chat Heads and your home screen.

The bottom line: Just because it sounds scary doesn't mean it is.

In Android, you accept permissions wholesale — either you install the app, or you don't. That differs from how things work in iOS and Windows Phone, and whether it's a better way of doing things is up for debate. If, say, you tell an app not to send you push notifications in the app's settings, it'll still have the proper permissions to do so. Same thing for text messages here. Even if I don't use Facebook Messenger for that, it still has to declare the permissions — just in case I want to use that feature.

And Google still could do a better job making them more readable for the regular user. Probably the biggest culprit is when you tap on a permission and see it talking about allowing the camera to take a picture "at any time." Really what that means is "we won't ask you again if you want to use the camera when you open the camera, because chances are you're trying to use the camera." (That's different, however, than the roadblock you hit if you have more than one camera app installed. But that's another thing for another day.)

App permissions are important. Be sure to read them. But also think about what an app actually does.

On the other hand, app developers could explain in the app description (or at least link to a web page) why the app is declaring the permissions it's declaring. And many developers do, including us with the Android Central App.

Facebook, for its part, told the Wall Street Journal essentially what we're telling you here: The original HuffPo piece is bunk. In fact, when called out by a commenter, the FUD's author not only basically admits to spreading the FUD, he makes it worse.

I would agree that it's not Facebook Messenger's intention to record audio or take a photo without being initiated (eg. taking/adding a pic to a text msg) but once you give permission for the app to do so automatically, what's to stop a hacker or other app from doing so? We have too much blind faith...that's the point I'm trying to make.

Here's what stops a hacker or other app from doing so, Sam: The permissions system. And also the other malware and security protections Google has in place.

That's not to say Facebook or any other major company is beyond reproach, or that you shouldn't question its motives. We've seen Facebook pull some shady stuff before. But Fiorella is correct in that we shouldn't blindly install apps. Read the permissions. Ask questions. Look at similar apps and see if they have similar permissions. (You'll find many of Facebook Messenger's permissions in, say, Google's Hangouts app.) But be sure to think twice before scaring the hell out of folks and spreading Fear, Uncertainty and Doubt like Fiorella did some nine months ago. And be sure to think twice when you read obviously alarmist stories.