These days it seems to be increasingly difficult to see exactly what permissions you may be giving a mobile app when you install it on your device. Both Apple and Google have been accused of over-simplifying the notifications to the point that it is nearly impossible to tell just exactly what – and more importantly why – an app is accessing a certain area of your device. Facebook Messenger is no exception and forensics researcher Jonathan Zdziarski has taken a look at the iOS version and found just how much Facebook is tracking through their latest app.
UPDATE (11/09/2014: 12:39pm PT): Facebook emailed us with this statement regarding Facebook Messenger and this article:
“These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what where people tap — when we noticed that people were using the ‘Like’ stickers a lot, we modified the app so that people could send them with fewer taps.”
We did indeed mention below that some of the permissions being accessed definitely fall under this use, however the issue lies with some of the other processes Zdziarski discovered and the use of private API’s. Given some of Facebook’s past practices in web tracking, it’s no surprise that users might be questioning what else they are tracking within their apps. Ultimately, it is up to the user to accept what permissions apps have access to by installing them, and by doing so showing just how much trust they have in the company developing the application.
ORIGINAL STORY BELOW
Many Android users have expressed concern with the app as when it’s installed to an Android device, users are first presented with a screen listing (albeit generally vague when accessed on the device, the permissions are better laid out on the Play Store website) what areas of the device the app is requesting access to. On iOS devices however, users simply select the app from the App Store and install.
Zdziarski started tweeting out many of his findings via Twitter and had this general statement to say about the app:
Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance.— Jonathan Zdziarski (@JZdziarski) September 9, 2014
In an email to Motherboard, Zsziarski goes on to say that:
Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background. via Motherboard
I asked independent security researcher Ashkan Soltani via email whether Facebook’s relationship with Apple—having a user’s Facebook account baked directly into iOS—might give Facebook access to private APIs and capabilities that other developers don’t have. Soltani wrote that he believed my hunch was correct. via Motherboard
Zdziarski sums it up – a bit tongue in cheek – but all joking aside, perhaps it’s time to question whether or not you really need this app on your device.
Messenger knows when you are sleeping. It knows when you’re awake. It knows when you’re at home, too so delete it for goodness sake. — Jonathan Zdziarski (@JZdziarski) September 11, 2014
Given the short time the app has been out, and the number of installs – between 500,000,000 and 1,000,000,000 on the Google Play Store and one can only assume a similar number on the Apple App Store, it appears that users either aren’t understanding the access they are giving the app, or maybe they just don’t care.
What are your thoughts on apps and the amount of your personal data they can access? Do you have Facebook Messenger installed? Why or why not? Let us know in the comments below, or on Google+, Facebook, or Twitter.