redundant code?
Wasn't there another company, oft mentioned in conspiracy theories, that used this self-same excuse after a minor privacy issue?
Just off to Google it to see if I can remember who it was.....
Facebook has dismissed allegations in The Sunday Times that the web giant's Android app can hoover text messages from phones as "creative conspiracy theorising". Flatly denying the claim published by the broadsheet at the weekend, the social network's UK office said its app's ability to access text messages was open and …
What I find interesting here, is the inconsistency of the media's reporting.
One week it's Android Malware scare stories, they next week, they are pointing out how the permissions based system on Android highlights how some apps have dodgy permissions.
Surely this story should be highlighting the benefits of Google's permissions system over the "Apple will deal with it" iOS system...
This post has been deleted by its author
If you're not afraid of rooting your phone, there are two excellent third-party solutions to this problem.
The first one is to install CyanogenMod. Then when you go to Settings --> Apps --> Manage Apps (or wherever you can view an app's details), at the bottom of the screen where the app's permissions are listed, tapping on any permission will toggle it. This is what Google should have added to Android in the first place.
Downside: this requires a factory reset.
A more elegant solution is LBE Privacy Guard, a simple app that requires root privileges but can otherwise be installed just like any other app on top of your existing system. Its permission management is not that fine-grained, but it has one huge advantage over CM - instead of actually giving the app a slap on the wrist when it attempts to use a permission that has been revoked, it'll intercept the API call and feed it false information.
I've used both solutions (separately) for some time and prefer LBE Privacy Guard because it's more elegant: ...
An app that wants to use a revoked privilege on CM will get an "access denied" message. Some apps aren't designed to cope with this and will crash.
An app guarded by LBE PG on the other hand will simply see an empty phone book, an empty message list, a phone serial number consisting of all zeroes, etc. depending on the permissions you've revoked. It's tricked into believing it still has the revoked privilege but there's simply no data worth looting.
In addition to granting and revoking permissions, LBE PG can also be set to ask or alert you each time an app wants to use a certain privilege.
Paris, because she's been rooted countless times.
It's too bad, because if people could block apps from having access that they don't need to do what they advertise, and then the apps crashed and then got downvoted, it might force the developers to build better apps that don't need access to your address book to show the time and date.
Mobile web for me too. Unfortunately the FB app is preinstalled on the latest HTC ROM update. I don't use it because of the SMS-reading issue, but there is a process under the FB app called UploadManager, which starts automatically and can't be turned off. I naturally wonder why they want permission to read my messages and what they're uploading to where.
If they're not using that code, then they don't need that permission and it should be removed.
If they do introduce a new feature that uses, then change the app permissions so the user is prompted to accept the app permissions again with the text message access hightlighted as new.
Youtube accessing the camera isn't an issue at all, the Youtube can invoke the camera so that you can take videos to post to Youtube.
....FB automtically starts recording everything on a phone and around a phone when that phone is automatically seen (GPS wise) to have entered a "zone of interest." Somewhere between FB's "dormant code" and Google's "oops...rogue staff member" there's some right dodgy sh*t going down. I'm away to start polishing me tinfoil hat.
If you're testing something internally then why does the public available app request those permissions? You can do your internal test with a private version of the app installed from an internal server.
I don't use FB but if I did I would have rejected their app on the basis that it doesn't need that permission.
They'd better watch it, some places and providers don't include unlimited SMS as part of their plan. Sure, they're cheap on my contract, but enough of them will add up to a shock. Having just looked at the permissions requested (damn Xperia Mini is full of "social networking" rubbish that I don't want, and a lot of it starts at start-up (until I kill it, that is)), I'm less concerned FB can look at my texts and more concerned it wants the ability to send texts. This, filed rightly, under "Services which can cost you money"...
As for YouTube, the one on my phone doesn't claim a right to access the camera at all. I think it just tasks off the video recording job to the built in recorder - better that way as it would offer a consistent UI.
One major reason many Android apps request far more permissions than necessary is that, if permissions change in a future update, the automatic update and "update all" features of Android won't work for that app and the update will need to be installed manually.
If Facebook were to provide a SMS service later on, users would need to go and manually install the new version. To make matters worse the "Update (manual)" message is shown in red as if it was some error. When faced with this many non-geek users will simply not install the update.
By simply requiring all foreseeable permissions from the start the app avoids this. It's bad practice but developers are stuck between a rock and a hard place with this one.
For instance, I think Google Maps recently added an "NFC" permission - or something else did. As far as I remember, it was conspicuously highlighted. I don't have NFC hardware so I wasn't worried. But Google Maps uses a -lot- of permissions.
I generally don't allow any app to update automatically. If I did, then I assume that an added permission would stop that from happening. But to take that as an argument to install originally with permissions that your app -might- want to use some day is moronic, IMO.
Another option, I think, is to publish your app in different versions, with different permissions fOr each. But I don't know if you can replace one with another. Paid and free (ad-supported) product versions are an example: the "free" ediition needs to go to the Internet to download advertisements to show you, the paid product maybe doesn't require Internet permission.
Craigness, the Facebook app has been requesting that permission since version 1.5.4, launched April 2011. That's nearly a year ago.
At the time many got the manual update notice and choose to deinstall the app instead. This just reinforces my point: if companies make such permission changes so visible during updates, many users will either not update or worse - they'll *remove* the app. If a company just puts in all permissions from the start most won't ever notice.
Several phones come with the Facebook app already installed, many with the newer version where the SMS permission was already accepted. These users wouldn't even know the app could access their text messages.
Also can you explain the Youtube app needing access to the camera if not for future proofing?
Android's permissions may sound great in theory but recent news like this show that in practice the mechanism sucks. Sorry you can't see this.
I got my phone in April 2011 and I installed FB back then. The update for the SMS stuff was much later. They changed the permission and some people decided not to update, which shows that the permissions mechanism is awesome - I was using the old version of the app for ages and didn't have to worry about what FB could do to me! On lesser operating systems you just get what you're given.
Can you explain why the Youtube app has not requested every permission in the book?
Can you explain why developers, believing that people will not install the app if it requests permission to read their SMS, will make version 1.0 of the app request permission to read their SMS even if it doesn't use that permission? Some people decided not to update FB but there may have been others who updated it in spite of the new permission, simply because they had become accustomed to using the app and wanted the new functions. They might never have installed it if it had always required that permission.
Your hypothesis does not support the facts and it makes no sense.
This post has been deleted by its author
This post has been deleted by its author
If I look at my selection of "suggested" chat buddies in the bottom right of the facebook screen then most of them are people who have text me at some point recently. I understand if they have inboxed me on facebook, but SMS? Hmm.I was always cautious of this and raised this point with a mate who also doesn't trust it.
Oh, and I don't ever use facebook chat as i'm permanently offline.
I also hate the fact that if I leave GPS switched on but not active, logging into the app fires up my GPS for an obvious location report. I think I'll go the way of others and use the mobile site from now on.
About six months ago I binned my BlackBerry in favour of Android. And I've found that the permissions handling on Android seems to be all about the app's author and not the device's owner.
An example: I used to use a newspaper app on my BlackBerry but not permit the connections it wanted to make in order to display in-line advertisements. I liked that capability but I'm pretty sure the authors didn't.
"The permissions issue is as much one for Google as Facebook: Apple's iOS walls off certain phone functions from third-party apps - including text messages and phone functions. But on Android phones that information is accessible to apps, provided the user agrees on downloading the app."
So in other words: Android allows apps to ask your permission to gain functionality that is impossible on iOS. Why are you trying to paint this as a bad thing? More capability is a GOOD thing, especially when it requires explicit permission from the user.
There are not two separate camera permissions, one reading "allows the camera to record at any time" and "allows the camera to record when the users tells it to". If you don't trust Youtube you shouldn't trust any camera app for Android, because they all have the same goddamn permission.
In a word, share buttons. "Tell your friends!"
Share via SMS? "Read and send text messages" permission.
Share via Facebook? "Full internet access" permission.
Share via Gmail? Google account permission.
Share via other email? Email account permission.
You might think there's some built-in ShareButton class that lets every app do all these ubiquitous tasks without special permissions. Nope.
"Allows application to take pictures and videos with the camera. This allows the application at any time to collect images the camera is seeing."
Right. Because there's a goddamn record button in the app. You hit the little camera, it starts recording, and when you're finished it automatically uploads it to Youtube.
Without the camera permission, you cannot record video, even if the user gets on their knees and begs. They're worded for maximum caution but basically anything reasonably fancy - accessing the SD card, for example - requires a permission. Even if the app isn't snooping around, it can't read or write on the SD card unless the user OK's it.
Thank Goodness the Walled Garden doesn't allow this Facebook mockery of privacy. There is no reason for a Facebook app to need access to any personal information on my phone, including text. If it's "internal testing" then they should have that function on their INTERNAL PHONES, not phones outside of Facebook. It's a well known fact that both Facebook and Google want as much of your personal info as they can get. Android? No thanks!!!
One of the reasons I haven't updated my Android app in *ages*, I don't want the new features, I just want to read my FB wall and post comments.
I wish it were profitable for developers to make these kind of applications far more modular in nature, letting us pick and chose the functionality we want, instead of having their latest idea shoved down our throats
Let the user selectively deny permissions - or at least "serious" permissions, like SMS and phone control - with a note that the app might not work correctly. If the code attempts to use those requested-but-denied permissions, either return default values (for functions that gather information), or return an error for functions that do things.
Apps would be expected to be able to behave well if those permissions are denied - of course, they could check that they were denied, and if it was essential to the functioning of the app (for example, an SMS messenger app), notify the user that the app needs the missing permission.
This is why I won't touch an Android phone. Someone (Google and others) want as much info as they can get on their users. No I don't do Apple either. I was on Facebook until late last year. I deleted my account. I don't miss it. We all have a choice don't we? Use it or don't use it. Simples. And just for the hell of it - Duckduckgo :-D