Facebook Messenger permissions: Not as scary as the stories might have you believe

The FUD is fierce as a 9-month-old story paints a scary — but not really correct — view of Android permissions

You can't swing a dead cat on the Internet these days without running into yet another misguided story about how scary Android is, and about how apps have access to do all sorts of scary-sounding things. Making the rounds this week is the rehashing of a December 2013 Huffington Post story by Sam Fiorella, whose byline paints him as a partner with Sensei Marketing, and author of Influence Marketing. It's a scary-sounding (and recently updated and corrected piece, starting thusly:

How much access to your (and your friends') personal data are you prepared to share for access to free mobile apps? I suspect the amount is significantly less than that which you actually agreed to share when blindly accepting the Terms of Service.Case in point: Facebook's Messenger App, which boasts over 1,000,000,000 downloads, requires the acceptance of an alarming amount of personal data and, even more startling, direct control over your mobile device. I'm willing to bet that few, if any, of those who downloaded this app read the full Terms of Service before accepting them and downloading the app.

Scary stuff, indeed. And this week folks have been blindly reblogging this scary story within an inch of its life, presumably in hopes of keeping scary things from happening and saving the world or something.

Here's the thing, though: These scary stories aren't telling you the whole truth. They're spreading what we call Fear, Uncertainty and Doubt. They're irresponsible, show a distinct lack of knowledge on the way Android permissions work, and frankly they do very little to educate. That's not to say you shouldn't look at an app's permissions before installing it — you absolutely should. But we also need to remember to think about why an app may be declaring the permissions it is.

Let's take a look at what Facebook Messenger is, exactly, up to.

What are Android permissions, and why should you read them?

Facebook Messenger permissions

If you've ever installed an Android app, chances are you've seen its list of declared permissions. Every now and then you'll come across an app that doesn't have to declare any special permissions, but that's generally the exception and not the rule. And moreover, chances are you've quickly tapped through the list of declared permissions so you could just install the damn app. We've all done it. We know better, but we do it.

Permissions are integral to the Android experience. And they're still a little clunky.

So what are permissions? And why does my phone need access to all that stuff? Because they're keeping you safe. Any time an app wants to use a feature that's considered "protected" by the system, it'll have to tell you that it wants to do so. In Android's case, it declares permissions before you install an app. You see them in Google Play. You see them on the device itself any time an app is installed, whether it's from Google Play or somewhere else. If an app wants to use, say, the camera, it must declare it as a permission, otherwise it can't use the camera.

What might an app need permission to access? Your camera, for one. Location via GPS is another. Same for using telephony, network and other data connections (think phone calls, getting online and the like), SMS and MMS (text messaging), and Bluetooth use. If an app wants to use any part of any of those things, it must declare the permission.

And Android has gotten better about permissions as you see them today, simplifying the list and consolidating permissions that shouldn't seem out of the ordinary ("Of course this browser needs Internet access"), making them a little easier to read — but it still has a ways to go in the way it actually explains the permissions. They're still pretty broad and don't really give any insight as to why the app you're installing might need access to those things, and it's not always obvious. They're also still not really written in English (though, again, they're better than they used to be). So they might well sound a little scary, even though they shouldn't be.

And as we're seeing in this latest round of FUD, it's real easy to get folks' knickers in a twist.

Let's look at Facebook messenger's permissions

As we said, you're kind of left to your own devices to decide whether the permissions an app is declaring are scary, or necessary. (Though we'd argue that a company like Facebook probably couldn't get away with sneaking something through for very long, but that's not really the point of this exercise.)

So, let's go through them, one by one, as they're currently listed. (Note that the order is different than what you'll find in that original December 2013 HuffPo FUD piece, and the subsequent reblogs.)

Facebook Messenger permissions — calls

Phone calls

  • Directly call phone numbers. This one's followed by a yellow "This may cost you money" warning, and a little image of coins, again indicating that it could, potentially, cost you money.
  • Read phone status and identity.

Why these permissions: Because Facebook messenger can call people. Or, rather, it can initiate a call. If someone has given Facebook their phone number, you'll be able to call them through this app. At the same time, the app has the ability to see what your phone number is.

Facebook Messenger Permissions — Texting

Texting

  • Edit your text messages (SMS or MMS)
  • Read your text messages (SMS or MMS)
  • Receive text messages (MMS)
  • Receive text messages (SMS)
  • Send SMS messages (This may cost you money)

Why these permissions: Facebook Messenger uses an SMS to confirm your phone number when you decide to give it to Facebook. Note how that works in conjunction with the "read phone identity" permission above. Facebook Messenger also allows you to send a text message or MMS to someone who isn't yet on Messenger. (You have to give it access to your contacts, though, for that to work.)

Camera

  • Take pictures and videos

Why this permission: Facebook Messenger can use the camera to ... wait for it ... take a picture or shoot video.

Microphone

  • Record audio

Why this permission: Facebook Messenger can use your microphone to ... wait for it ... record a message to send to a friend. Or make phone calls.

Facebook Messenger Permission — Location

Location

  • Approximate location (network-based)
  • Precise location (GPS and network-based)

Why these permissions: Because Facebook Messenger, just just about every other social network, uses location for all sorts of things. And there's more than one way to get location on a device.

Contacts

  • Read call log
  • Read your contacts
  • Read your own contact card

Why these permissions: Facebook Messenger is a messenger app, and it has the ability to sync up with your phone contacts. (That's a separate process altogether, but it still has to declare the permission up front if it's going to do any of it from your phone.)

SD card

  • Modify or delete the contents of your SD card
  • Read the contents of your SD card

Why these permissions: Facebook's addressed this one directly already regarding its Facebook proper app, but it's also a pretty standard permission for any app that needs to cache data somewhere. In this case, think your friends' contact pictures. Instead of downloading them every time you use the app, which is slow and costs data, it stores them. (And that's just one example.) And "SD card" is a misnomer (and another example of how permissions can be clunky), because it's not actually talking about a physical SD card.

Accounts

  • Find accounts on the device
  • Read Google service configuration

Why these permissions: Facebook Messenger is a Facebook app. And you know how you're able to use your Facebook account to sign into other things. (Including our Mobile Nations sites, actually.) And if you look in the main accounts settings on your device, you'll see the Facebook service listed here. Thus, the permission.

Network

  • Change network connectivity
  • Download files without notification
  • Full network access
  • Receive data from Internet
  • View network connections
  • View Wifi connections

Why these permissions: This sort of thing often sounds far more scary than it should. First, the obvious: Facebook Messenger needs a data connection. Full stop. That explains most of that there. As for downloading files without notification, ever wonder how Facebook apps sometimes look different even though you didn't actually update the app? There you go. (Not saying we're a fan of that one, by the way. We'd prefer transparency.)

Other permissions

  • Run at startup: Facebook Messenger is a messaging app. In order to be effective, it needs to be open. So it sets itself to run at startup in the background.
  • Draw over other apps: Two words: Chat Heads.
  • Control vibration/prevent phone from sleeping: Pretty standard for notifications in an app like this.
  • Read sync settings: Lets the app see if background syncing is on.
  • Install shortcuts: Again, Chat Heads and your home screen.

The bottom line: Just because it sounds scary doesn't mean it is.

In Android, you accept permissions wholesale — either you install the app, or you don't. That differs from how things work in iOS and Windows Phone, and whether it's a better way of doing things is up for debate. If, say, you tell an app not to send you push notifications in the app's settings, it'll still have the proper permissions to do so. Same thing for text messages here. Even if I don't use Facebook Messenger for that, it still has to declare the permissions — just in case I want to use that feature.

And Google still could do a better job making them more readable for the regular user. Probably the biggest culprit is when you tap on a permission and see it talking about allowing the camera to take a picture "at any time." Really what that means is "we won't ask you again if you want to use the camera when you open the camera, because chances are you're trying to use the camera." (That's different, however, than the roadblock you hit if you have more than one camera app installed. But that's another thing for another day.)

App permissions are important. Be sure to read them. But also think about what an app actually does.

On the other hand, app developers could explain in the app description (or at least link to a web page) why the app is declaring the permissions it's declaring. And many developers do, including us with the Android Central App (opens in new tab).

Facebook, for its part, told the Wall Street Journal essentially what we're telling you here: The original HuffPo piece is bunk. In fact, when called out by a commenter, the FUD's author not only basically admits to spreading the FUD, he makes it worse.

I would agree that it's not Facebook Messenger's intention to record audio or take a photo without being initiated (eg. taking/adding a pic to a text msg) but once you give permission for the app to do so automatically, what's to stop a hacker or other app from doing so? We have too much blind faith...that's the point I'm trying to make.

Here's what stops a hacker or other app from doing so, Sam: The permissions system. And also the other malware and security protections Google has in place.

That's not to say Facebook or any other major company is beyond reproach, or that you shouldn't question its motives. We've seen Facebook pull some shady stuff before. But Fiorella is correct in that we shouldn't blindly install apps. Read the permissions. Ask questions. Look at similar apps and see if they have similar permissions. (You'll find many of Facebook Messenger's permissions in, say, Google's Hangouts app (opens in new tab).) But be sure to think twice before scaring the hell out of folks and spreading Fear, Uncertainty and Doubt like Fiorella did some nine months ago. And be sure to think twice when you read obviously alarmist stories.

More on permissions

We also recommend reading through:

208 Comments
  • Amen!
  • Not that it matters but Facebook keeps all your messages... Forever. It's why they like you to archive and not delete and make it a bit more difficult to delete. Posted via Ash William's Boomstick
  • Not true if you delete them with Facebook messager they are deleted and not in the archive. Sounds like you don't have the app
  • Doesnt Facebook have a server with all info though? Posted via Android Central App
  • Really, what guarantees do you have that they aren't still on Facebook servers? Did you read the TOS? Seems like you haven't. They are deleted on your side, meaning you can't see them. Doesn't mean that they are not still on FB servers. Snapchat got in trouble for that, and Facebook is much more intrusive than snapchat. Read the TOS and take the red pill.
  • They actually have to store them for like at least 5 years or so just in case there is incriminating evidence that the authorities may request in the future. Legal stuff. Not a fan of it though.
  • i've worked quite some time now in IT and number 1 rule in every information technology system is.... NEVER lose data. They may hide it from others, they may hide it from you, but noone will ever delete a single letter you type into any website once you pressed "send" ... and sometimes they even get it without you pressing "send". Most Systems don't even allow deleting data from a technical point of view so noone deletes something accidently. If you want something deleted it just get's an additional attribute so it doesn't get displayed any more.
  • Yeah, pretty much. Things are "marked" as deleted, but they are still there.
    Now, it'll be archived off after some point, but it never really goes away.
  • bottom line .. a lot of companies are developing a standard electronic retention (or deletion) policy/protocol ...... chances are everything is archived for a period of time. the policy could call for archive or deletion after 30 days or after 5 years... or it just waits until it's overwritten ...
  • Yes, and 450 million emails I'm sure they have time to read all of them.
  • Yes, just delete your messages! GEEZ
  • I agree the HP article is a bit misinformed but this article is a bit of an over simplification about permissions. Put it this way, a good friend is a Google Executive up in Mountain View and they told me they would never allow FB to have those permissions. As such they don't have the app on their phone.
  • One person (I'm sure there are others) doesn't want to allow FB to have those permissions. That is there personal call. Aside from the potential "risk" due to his specific position, Where he works and what position he has there really means nothing. Understanding permissions and opting to allow or not are all that matters. The permissions of FB are not egregious, they just are.
  • Point being Google can allow Android to limit app permissions... they choose. not to for a various reasons. sorry but I'd take the inside knowledge of a person who is a senior level person. Oh by the way, they aren't the only person - most at Mountain View don't and that in and of itself says a fair bit.
  • Now comes the question, if Google has a problem with the permissions(if most of a company has a problem, it's safe to say the whole company) why don't they do something about it?
  • LOL. As if Google + didn't do this already with Google hang outs and *gasp* Google hangouts has almost the EXACT same permissions! So I guess those Google execs up on mountain view don't have Google hangouts on their phone either...
  • I bet you can find one person in Google who thinks this Android thing is a fad.
    I bet you can find one person at Apple who owns a Windows phone.
    I bet you can find one person at the NSA who thinks domestic spying is bad. I don't know how your comment is an example of anything.
  • Great article.  Hopefully this clears things up for some people.  I was having a good laugh last night at some of those articles.  I don't think that the writers quite know what exactly "permissions" are.
  • You know it won't. The voice of reason and sanity often gets shouted down by OMG THE WORLD IS FALLING!! Posted via Android Central App
  • WE'RE ALL DOOMED!
  • That's depressingly true.
  • LOL
  • Wonder how many fear-mongers here are Rupugnantcans? Because this has the potential to get fairly contentious, just like what Repubs did for California's Prop 8 battle, when the sky was falling with each new newscycle. Just a thought.
  • +1
  • People think that having permission to use your camera or microphone means they are spying on us. Which I'm pretty sure they are. Posted via Android Central App
  • If the FB overlords really want to see/hear me sitting on toilet playing angry birds... that's OK with me.
  • Lmaooo Posted via Android Central App
  • ^^^^ I'd prefer they did.
  • Yes! This! Lmao Boom! From My S5
  • FB or FBI? or is it one in the same? YIKES!!!!!!!!
  • Right? My whole issue is the amount of worldwide government taps Facebook knowingly has. I could care less if FB has access to whatever info I give it, but it's handing all that info over to people I don't effing trust.
  • In FB's defence, haven't the authorities forced FB (and others..) into handing over data?
    As an example of that:
    http://www.nytimes.com/2014/06/27/technology/facebook-battles-manhattan-... What would you do if it was your business in their position?
  • Move my business to another country. Example, The Pirate Bay.
  • To be "fair" I doubt the writers use anything but iOS which doesn't tell you anything about an apps permissions before download.
  • They do not have to, Apple knows what is best for you
  • Sounds about right for Apple Posted via AC App from my S4 mini WITH an LED CrackLight ;-)
  • Its funny. Android puts it out there and "OMG THE WORLD IS FALLING", Apple just does it and there is nothing sinister....
  • It doesn't have to. Take a look at the approach sometime. Apple has the app ask permissions AFTER download (in fact, right before you use each feature... Taking a photo in Facebook? Asks permission to access your photos, tracking your location... Ask right before it does it). You get to YES/NO to each permission and then revoke those permissions individually at any time from the Privacy control panel. Saying it doesn't tell you ANYTHING is more than a bit inaccurate. On the flipside, Google Play puts so much extraneous info in there, normal people have to listen to self-serving pundits to tell them that permissions they gave away before downloading. By giving away all of these permissions out of context and at the time of download, you get articles that make people hyperventilate. Which is terrible.
  • Yea this has been really annoying to keep seeing it pop up on big news sites and on my social media feeds. I just wanna grab these people and shake them and be like is this really the first time you've looked at permissions when installing an app? because this is pretty similar to ANY social media app. idiots.
  • Then go forth and share this story, my son. :)
  • +1 Posted via Android Central App
  • Shared it on FB-some of my family and friends are...uh...well, they have special needs, and this article does a great job.
  • Same here.. Lol Posted via Android Central App on The Nexus 5
  • Have sent the link to many people do far today... I'm bookmarking it so that I can send it in the future... Thanks for the great article Phil Posted via Android Central App
  • I have shared this story today. Posted via Android Central App on The Nexus 5
  • Done and done. More people need some Phil in their lives. Posted via Android Central App
  • "More people need some Phil in their lives" I'm so having the rest of these beers and writing a song with that title.
  • I'm expecting that live on Friday's podcast FYI
  • I've been posting your article each time one of those paranoid ones pops up on my newsfeed. Thank you.
  • That Verizon logo hurts my eyes. Please use screenshots from other carrier variants :) Posted via the Android Central App
  • Love ac articles. Already shared to u guessed it my fb page. Posted via Android Central App
  • +1 Posted via Android Central App
  • Thank you. :)
  • The main annoyance for me is Facebook trying to FORCE me to download this app when I'd prefer just keeping the messaging functionality in the main app. I use Facebook messaging very infrequently, and I don't want to have to install another app that's going to eat into my battery and use my resources for the occasional message I want to read/send.
  • That's Facebook for you... But it also is not very different from alot of things Posted via Android Central App
  • I felt the same way, but then I actually tried the app and it is quite good.  So I don't loved being forced into it, at least they took the time to make the app great.
  • Finally... Took them enough tries Posted via Android Central App
  • It was quite bad for a long time, but the most recent builds are good and it deserves the recognition that the other top messaging apps get.
  • Yeah I know it is pretty good now. I blame that a little on the whatsapp takeover or luck.. But I am cynical like that.. Posted via Android Central App
  • Eh, Messenger's been pretty solid for probably over a year now, well before the Whatsapp acquisition was much of a factor. Whatsapp is kind of a disaster of an IM app anyway, IMO.
  • Actually, I liked it better a few versions ago.. Before they went with the pastel blue color scheme.. Posted via Android Central App on The Nexus 5
  • I like the messenger app a lot. Honestly, flicking the chat heads around the screen brings joy into my life. Sad, I know.
  • It's really a very lightweight app and doesn't impact battery life much at all. (This coming from someone who's used it *heavily* for the past couple of years.) If you're still concerned and use FB messages that infrequently, you can always just use the mobile site for that once-in-a-blue-moon occasion.
  • +1 I feel the same. I use it veryyyyyy rarely. Not enough to warrant an additional app. Stupid. Posted via Android Central App
  • I'm exactly the same, what was wrong with the old way, they should at least kept this open and given the choice. If I get a message I'll pick it up on the laptop later. Nothing is that urgent on fb!
  • If you done want to use FB messenger you can use Fast messenger it has way less permissions it real basic but it works good ...
  • Now, how about an article on what Facebook could do with the permissions we give them if they wanted without our knowledge. Not that they do, of course, just hypothetically speaking...
  • Why spread more FUD? Posted via Android Central App
  • Fans of the app hate letting people know the whole truth about it. Far be it from them to ever do anything wrong.....Funny thing though,wasn't they just recently in the news about some little experiment they were doing without permission from the users,then theses fans saying...Well didn't you agree to it when you signed up? So,instead of informing of potential threats people here would rather blow that off and what any application"can" do because some here would rather not scare people out of their safe little world... While explaining why a application may need permissions is a good thing,don't ever sugar coat the realities of what you are giving them permission to do if they desire to. That's just burying your head in the sand for any application that is downloaded. Posted via Android Central App on my HTC M8
  • I still don't get why people that paranoid are still on the internet. Everything is a threat if you're paranoid enough. D:
  • I get your point but thats why one would use a user name an email with a user name why give out personal info if one can help it ...
  • I hear Ted Kaczynski's place is for rent.
  • Already knew this. ac reporting a day behind everyone else as usual Posted via my OnePlus One
  • Haha what?  How is this a day behind? Did you read the article?  This isn't simply just reporting information.
  • It is reporting info. The same info that's been on tech sites the last few days as Facebook just required users to use messenger recently. Today they decide this piece (probably because every other site has already) it's not really a bad thing if you only get your info from one source. But I check multiple sources. Just an observation. Nothing to get your panties in a bunch over Posted via my OnePlus One
  • *unbunches panties* OK if you say so.
  • That awkward moment when you don't read the article and post a comment that makes you look silly, then someone calls you out on it and you post another comment showing you really didn't understand what they were saying and you try and defend yourself and you look even sillier Posted from the Avengers: Age of Droid Ultra
  • "DIZZEL vs DIZZLE" FIGHT!
  • Not hardly. Couldn't care less what trolls say. Too many members spend too much energy trying to be the cool kids on the forum because they obviously don't have much going for them in life. I said my piece and will leave it at that. I just get on here to pass time in between calls at at work. I'll be in the forums but as far as these news stories, just to pass time Posted via my OnePlus One
  • So you are essentially admitting to trolling.
  • I lold Posted via Android Central App
  • Why Facebook messenger saying I can send messages to friends that don't have Facebook and yet a have have let my friends know that don't have Facebook account to download the Facebook messenger app to send messages maybe I should unstall my Facebook app and and use my Facebook messenger as a stand alone app but but will I be able to send messages to my Facebook friends. Posted via Android Central App
  • I believe your answer is that FB Messenger lets you send SMS, so technically you can send a message to a phone number and that phone number doesn't necessarily have to have FB or FB Messenger. 
  • You said Facebook far too many times. My head hurts. Posted via Android Central App
  • I don't have FB app installed and FB messenger works fine , I don't like FB app its a data hog I just use the phone browser , it uses less data ...
  • This list is the main reason why I don't install FB or Messenger unless I'm running a custom rom with permission capabilities built in. That way, I can turn most of those off. My problem with the FB app is that it requests more permissions than any other app on my phone. Personally, I don't trust FB that much. But that's just me.
  • I get what you are saying but it, by its very reason for being around in the first place, should ask for more permissions than anything else. Facebook wants to be ingrained completely in your life so you can share it with anyone, anyway you want. It needs the permissions to do it. Like I said I get what your saying but the permissions follow the business model. I do not know for sure but I am guessing that G+ is very similar Posted via Android Central App
  • Right, and thats why I take issue. I (speaking only for myself) don't trust FB that much.
    Oh, and I just counted permissions. This is from Privacy Guard in CM on a Nexus 5. Permissions requested:
    G+ = 11
    FB = 20
  • FB: Curl2k1, may I borrow your rake?
    Curl2k1: Permission denied!
  • I almost sprayed my screen with Pepsi reading this. LOL Posted via Android Central App
  • ok how many for hangouts?
  • I count 22 for hangouts
    Out of curiosity, I checked Play Services. 20 Posted via Android Central App
  • I am gonna say half are duplicates of G+ so I come back to the conclusion that FB and G+ are the same permission-wise
  • Neither does a friend who is an Executive at Google. They aren't paranoid but they have their reason and all they said to me is that the FB messenger app is something I should skip and not load onto my phone.
  • I use a app short cut to the permissions settings in android on my GS4 and denied them access I don't need fb messenger for accessing the camera or anything else I just use it for the messenger function ...
  • Bravo, Phil. My local news recently did a story about how Facebook in particular is scary but didn't bother to try to explain that perhaps a messaging app needs to use your data connection so it can actually do things. I'm just going to point the people who came to me freaking out over it at this article. And then curse my local news team for their as always poor technology reporting. Posted via Android Central App
  • I have never seen a local news station get a tech story right. I don't think I ever saw one I didn't laugh at Posted via Android Central App
  • Really great article! My social feeds are just packed full of those terrible articles.
  • Reading some of the comments to in the app section made my head hurt.... Some really paranoid people out there Posted via the Android Central App
  • Take a aspirin for your headache... Reality checks generally are enough to scare people. Advising people of the inherent dangers make them less likely to download apps from untrusted places and blindly give it permission. It's always a two edge sword,but when a trusted application does unethical or questionable things then it's a good thing for the consumers to question why apps need these permissions and be wary of this. Posted via Android Central App on my HTC M8
  • Thank you! People act like that just because you can explain the single use for a permission that can do way more than that single use requires that it is all okay. I'm sure Facebook isn't using these maliciously, but at one time many people didn't think that our government would be spying on us as badly as they are; keeping records of texts, phone calls, and emails and passing the “good” private photos around the office. No way Facebook would ever do anything like that though. /s
  • Thank you!! Shared so the nervous nancies on Facebook can chill out and stop sharing that "scary" story. Posted via Android Central App
  • Good to hear it explained.
  • Would be good to have a mirror article that goes through the permissions of an app that *is* suspicious, and explain why, in that case, the permissions requested don't make any sense in the context of the app's ostensible purpose.
  • There is entirely too much common sense in this post. How am I supposed to enjoy some internet chaos if Phil puts things into perspective?
  • 4chan
  • If you really want nutjob chaos, WorldNewsDaily or it might be referred to, wing nut daily
  • TheBlaze.com
  • I've seen a lot of people posting a story written by some idiot on the Huffington Post. The guy is frankly clueless. Posted via Android Central App
  • I read that one... it was painful.
  • Just show me how to keep viewing facebook messages in the app without the use of another messenger app and I'll be a happy camper. I'm not glued to facebook and only want it running when I open it, not constantly.
  • You can't. You either need FBM or you need to use the mobile site in the browser.
  • If it is in any way related to Facebook I don't use it. Posted via Android Central App on the Moto X
  • I'm just annoyed that they're removing messaging from the main app and forcing people into messenger. I don't want messenger. I don't want a standalone app to do just ONE thing I WAS doing in another app. It's bullshit. I uninstalled the main app because of it. Give me one or I'll have none.
  • You got it all wrong. So the Facebook app pushes you in to getting into Messenger by constantly nagging you to download it, when all you really want to do is to message someone through the Facebook messages. I didn't want it to replace my SMS app, I didn't want it to make phone calls for me. I didn't need it to read my contact book and decide to send SMS if they're not on facebook. I didn't want the app to do any of that. Sure, you could say that's what they need to achiev