Facebook Messenger permissions: Not as scary as the stories might have you believe
The FUD is fierce as a 9-month-old story paints a scary — but not really correct — view of Android permissions
You can't swing a dead cat on the Internet these days without running into yet another misguided story about how scary Android is, and about how apps have access to do all sorts of scary-sounding things. Making the rounds this week is the rehashing of a December 2013 Huffington Post story by Sam Fiorella, whose byline paints him as a partner with Sensei Marketing, and author of Influence Marketing. It's a scary-sounding (and recently updated and corrected piece, starting thusly:
Scary stuff, indeed. And this week folks have been blindly reblogging this scary story within an inch of its life, presumably in hopes of keeping scary things from happening and saving the world or something.
Here's the thing, though: These scary stories aren't telling you the whole truth. They're spreading what we call Fear, Uncertainty and Doubt. They're irresponsible, show a distinct lack of knowledge on the way Android permissions work, and frankly they do very little to educate. That's not to say you shouldn't look at an app's permissions before installing it — you absolutely should. But we also need to remember to think about why an app may be declaring the permissions it is.
Let's take a look at what Facebook Messenger is, exactly, up to.
What are Android permissions, and why should you read them?
If you've ever installed an Android app, chances are you've seen its list of declared permissions. Every now and then you'll come across an app that doesn't have to declare any special permissions, but that's generally the exception and not the rule. And moreover, chances are you've quickly tapped through the list of declared permissions so you could just install the damn app. We've all done it. We know better, but we do it.
So what are permissions? And why does my phone need access to all that stuff? Because they're keeping you safe. Any time an app wants to use a feature that's considered "protected" by the system, it'll have to tell you that it wants to do so. In Android's case, it declares permissions before you install an app. You see them in Google Play. You see them on the device itself any time an app is installed, whether it's from Google Play or somewhere else. If an app wants to use, say, the camera, it must declare it as a permission, otherwise it can't use the camera.
What might an app need permission to access? Your camera, for one. Location via GPS is another. Same for using telephony, network and other data connections (think phone calls, getting online and the like), SMS and MMS (text messaging), and Bluetooth use. If an app wants to use any part of any of those things, it must declare the permission.
And Android has gotten better about permissions as you see them today, simplifying the list and consolidating permissions that shouldn't seem out of the ordinary ("Of course this browser needs Internet access"), making them a little easier to read — but it still has a ways to go in the way it actually explains the permissions. They're still pretty broad and don't really give any insight as to why the app you're installing might need access to those things, and it's not always obvious. They're also still not really written in English (though, again, they're better than they used to be). So they might well sound a little scary, even though they shouldn't be.
And as we're seeing in this latest round of FUD, it's real easy to get folks' knickers in a twist.
Let's look at Facebook messenger's permissions
As we said, you're kind of left to your own devices to decide whether the permissions an app is declaring are scary, or necessary. (Though we'd argue that a company like Facebook probably couldn't get away with sneaking something through for very long, but that's not really the point of this exercise.)
So, let's go through them, one by one, as they're currently listed. (Note that the order is different than what you'll find in that original December 2013 HuffPo FUD piece, and the subsequent reblogs.)
- Directly call phone numbers. This one's followed by a yellow "This may cost you money" warning, and a little image of coins, again indicating that it could, potentially, cost you money.
- Read phone status and identity.
Why these permissions: Because Facebook messenger can call people. Or, rather, it can initiate a call. If someone has given Facebook their phone number, you'll be able to call them through this app. At the same time, the app has the ability to see what your phone number is.
- Edit your text messages (SMS or MMS)
- Read your text messages (SMS or MMS)
- Receive text messages (MMS)
- Receive text messages (SMS)
- Send SMS messages (This may cost you money)
Why these permissions: Facebook Messenger uses an SMS to confirm your phone number when you decide to give it to Facebook. Note how that works in conjunction with the "read phone identity" permission above. Facebook Messenger also allows you to send a text message or MMS to someone who isn't yet on Messenger. (You have to give it access to your contacts, though, for that to work.)
- Take pictures and videos
Why this permission: Facebook Messenger can use the camera to ... wait for it ... take a picture or shoot video.
- Record audio
Why this permission: Facebook Messenger can use your microphone to ... wait for it ... record a message to send to a friend. Or make phone calls.
- Approximate location (network-based)
- Precise location (GPS and network-based)
Why these permissions: Because Facebook Messenger, just just about every other social network, uses location for all sorts of things. And there's more than one way to get location on a device.
- Read call log
- Read your contacts
- Read your own contact card
Why these permissions: Facebook Messenger is a messenger app, and it has the ability to sync up with your phone contacts. (That's a separate process altogether, but it still has to declare the permission up front if it's going to do any of it from your phone.)
- Modify or delete the contents of your SD card
- Read the contents of your SD card
Why these permissions: Facebook's addressed this one directly already regarding its Facebook proper app, but it's also a pretty standard permission for any app that needs to cache data somewhere. In this case, think your friends' contact pictures. Instead of downloading them every time you use the app, which is slow and costs data, it stores them. (And that's just one example.) And "SD card" is a misnomer (and another example of how permissions can be clunky), because it's not actually talking about a physical SD card.
- Find accounts on the device
- Read Google service configuration
Why these permissions: Facebook Messenger is a Facebook app. And you know how you're able to use your Facebook account to sign into other things. (Including our Mobile Nations sites, actually.) And if you look in the main accounts settings on your device, you'll see the Facebook service listed here. Thus, the permission.
- Change network connectivity
- Download files without notification
- Full network access
- Receive data from Internet
- View network connections
- View Wifi connections
Why these permissions: This sort of thing often sounds far more scary than it should. First, the obvious: Facebook Messenger needs a data connection. Full stop. That explains most of that there. As for downloading files without notification, ever wonder how Facebook apps sometimes look different even though you didn't actually update the app? There you go. (Not saying we're a fan of that one, by the way. We'd prefer transparency.)
- Run at startup: Facebook Messenger is a messaging app. In order to be effective, it needs to be open. So it sets itself to run at startup in the background.
- Draw over other apps: Two words: Chat Heads.
- Control vibration/prevent phone from sleeping: Pretty standard for notifications in an app like this.
- Read sync settings: Lets the app see if background syncing is on.
- Install shortcuts: Again, Chat Heads and your home screen.
The bottom line: Just because it sounds scary doesn't mean it is.
In Android, you accept permissions wholesale — either you install the app, or you don't. That differs from how things work in iOS and Windows Phone, and whether it's a better way of doing things is up for debate. If, say, you tell an app not to send you push notifications in the app's settings, it'll still have the proper permissions to do so. Same thing for text messages here. Even if I don't use Facebook Messenger for that, it still has to declare the permissions — just in case I want to use that feature.
And Google still could do a better job making them more readable for the regular user. Probably the biggest culprit is when you tap on a permission and see it talking about allowing the camera to take a picture "at any time." Really what that means is "we won't ask you again if you want to use the camera when you open the camera, because chances are you're trying to use the camera." (That's different, however, than the roadblock you hit if you have more than one camera app installed. But that's another thing for another day.)
On the other hand, app developers could explain in the app description (or at least link to a web page) why the app is declaring the permissions it's declaring. And many developers do, including us with the Android Central App (opens in new tab).
Facebook, for its part, told the Wall Street Journal essentially what we're telling you here: The original HuffPo piece is bunk. In fact, when called out by a commenter, the FUD's author not only basically admits to spreading the FUD, he makes it worse.
Here's what stops a hacker or other app from doing so, Sam: The permissions system. And also the other malware and security protections Google has in place.
That's not to say Facebook or any other major company is beyond reproach, or that you shouldn't question its motives. We've seen Facebook pull some shady stuff before. But Fiorella is correct in that we shouldn't blindly install apps. Read the permissions. Ask questions. Look at similar apps and see if they have similar permissions. (You'll find many of Facebook Messenger's permissions in, say, Google's Hangouts app (opens in new tab).) But be sure to think twice before scaring the hell out of folks and spreading Fear, Uncertainty and Doubt like Fiorella did some nine months ago. And be sure to think twice when you read obviously alarmist stories.
More on permissions
We also recommend reading through:
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Now, it'll be archived off after some point, but it never really goes away.
I bet you can find one person at Apple who owns a Windows phone.
I bet you can find one person at the NSA who thinks domestic spying is bad. I don't know how your comment is an example of anything.
As an example of that:
http://www.nytimes.com/2014/06/27/technology/facebook-battles-manhattan-... What would you do if it was your business in their position?
Oh, and I just counted permissions. This is from Privacy Guard in CM on a Nexus 5. Permissions requested:
G+ = 11
FB = 20
Curl2k1: Permission denied!
Out of curiosity, I checked Play Services. 20 Posted via Android Central App
Well... You can click the camera button and take a giving picture and send it instantly... That's why... Man people are dense sometimes... Posted via Android Central App
Either you trust them or you don't. Big government Big corporations Big companies aren't truly trustworthy. They never have been nor will ever be. It is up to the individual to decide for themselves It is also up to Google to explain what these permissions do in plain English or any other language so those folks can understand what they are and why and to verify any application before putting on the play store if they need them. The developer should be able to provide their reasons for asking for them and if they can't, they don't get their apps and updates pushed. Posted via Android Central App from my HTC M8
The way I look at it is Facebook already has all of your info so they're not getting much more than their users already freely give them. What's more annoying is that the users who complain about it most seem to be the same users post their whole lives on facebook Posted via Android Central App
I actually suspect some of the features the app has are purely to serve as an excuse to request the more extensive permissions for a more sinister cause.
You might say other apps like hangouts have similar permissions. It might be the case that both Google and Facebook use them to collect personal data...
For me personally, I'm a lot more worried about what Facebook will do with that data compared to Google, given their shady history. Just my slightly paranoid (but with good reason) view.
I had two applications I never had update, I mean for ages! Those were HP Print Service and Google Play Music, the updates needed some extra permission which I had to accept, but I felt like going kind of lazy/"safe" and staying with the auto-updates. But when I installed Messenger those two apps auto-updated themselves. I know should do some study and see if there was a newer update, for both, with the same old permissions, same time with messenger installation, but it already seems quit a coincidence to be true, I guess you know what I mean
Can you explain to me this is not the case? The distinction of desktop apps and hand-hold devices apps.
Since the computer so far, the apps available in the computer and the store-bought computer software. If I'm not mistaken, they never require details of my phone contacts, read my message, read my files ... etc. Its mission is the act as the dummy, I'm execute apps. But these apps for tablets, smartphones, most of them require your privacy. So that the flashlight app is also requiring your privacy? Do you feel ridiculous ? For me, privacy issues are not important because we live in a modern innovative technology. Your profile can leak everywhere in the doctor's office, hospital, job placement agencies, banks, IRS ... etc and your profile in the e-mail account, G +, Facebook, Twister. ..etc. So, you have definitely thought: give it up or be enslaved by modern toys. We have too many apps for communication: Hangout, Yahoo Messenger, Tango, Viber, Facebook Messenger, Skype ... etc. These are the problems in the future, and it also thwarted develpers issues preventing battery saving. Leakage problem is very difficult to prevent. So I recommend that you do not have a 100% assured. "LIVE WITH IT or LEAVE IT".
4. Draw over other apps: again abusive - no apps should take control over the interface, Android already has a nice notification area for it.
5. Control vibration/prevent phone from sleeping: there should only one central location for controlling these thing, the Androif setting. Thank you! We do not apps overriding these. And also, do not try to compare it with the Google Hangouts: your whole device is shared with google one way or another. We do not need another player in the game.
i had Porn / Torrent / Fileupload / ddl / efly Law from all world was after me try turn me down but my Host master keep me safe So 100 % Pro Host i can give you never get 1 better PM ME TO GET YOUR OWN BANKBOX FOR YOUR BIZNESS OR PRIVAT
P.s today im a good follow the Law ! lol
1 - Batman had to tap every phone in the city to find the bad guys.
2 - The facebook messenger app can update it's program to hear or see from every phone that has it running.
3 - Batman owns facebook!
It is free