back to article Facebook Android app caught seeking 'superuser' clearance

Social networking giant and market-leading data broker Facebook is once again taking heat for playing fast and loose with its access to personal information. This time, it's the Facebook Android app that is under the spotlight after folks noticed it requesting an extraordinary amount of access privileges – specifically, …

Page:

  1. Chris G
    Trollface

    Oh Sorreee! Sorree!

    It must be a bug we take our l/users data very seriously and w...............

    Of course it could just be a bug.

    1. Sandtitz Silver badge
      Unhappy

      Re: Oh Sorreee! Sorree!

      FB can always blame the usual suspects - rogue coders did it!

      (that's rouge coders for the illiterate)

      1. frank ly

        Re: Oh Sorreee! Sorree!

        I always blush when I make that particular spelling mistake.

      2. Sgt_Oddball
        Trollface

        Re: Oh Sorreee! Sorree!

        I dunno, I've got a pair of red trousers I wear at work and they're pretty rouge now...

      3. Scott Marshall
        Black Helicopters

        Re: Oh Sorreee! Sorree!

        rouge coders???

        Oh, of course; it's a code-phrase for Russian Hackers.

        ROFL

      4. 's water music

        Re: Oh Sorreee! Sorree!

        Looking back I am never sure whether it was stranger that I spent years misreading Rogue Trooper as Rouge Trooper or that I never wondered more why the hell he would be called Rouge

        1. IsJustabloke
          Stop

          Re: Oh Sorreee! Sorree!

          "...that I never wondered more why the hell he would be called Rouge"

          Yes very strange given that he's blue!

      5. BillG
        Mushroom

        Re: Oh Sorreee! Sorree!

        No excuses.

        No forgiveness.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh Sorreee! Sorree!

      The Facebook mobile app should be classed as "malware" and removed from all app stores immediately.

      Two reaons spring to mind as to why it was written the way it was.

      1) The android securtity model is shite, it's not granular enough. You want access to the photo library, you need to grant the app with access to the phone records ( or some such bollocks! ). The Android secuirty model during development needs to be far more granular. When I need access to the network system, it should be portitoned out to only sub components I need and nothing else. When my app requests access to the photos, it gets access to the default photo app and the default photo directory and nothing else, not the phone records, SMS, logs from all other apps and Lord knows what else.

      2) Facebook simply wrote the app o include all privs and hoped users were to busy or stupid to realise what they were agreeing to!

      ( Sadly I already know which is the most likely. )

      I remember someone downloading the FB app a year or so ago and being shocked at the huge list of secuirty categories the app asks for. Why the fsck does a social media app need access to your phone records?! We all know the reason but FB is firghteningly insidious and vile invention, the worst bit is it's nothing to do with being social. The "social media" part is simply a by-product of one of the biggest advertising, captive audience systems in the history of humanity.

      1. israel_hands

        Re: Oh Sorreee! Sorree!

        The android securtity model is shite, it's not granular enough. You want access to the photo library, you need to grant the app with access to the phone records ( or some such bollocks! ). The Android secuirty model during development needs to be far more granular. When I need access to the network system, it should be portitoned out to only sub components I need and nothing else. When my app requests access to the photos, it gets access to the default photo app and the default photo directory and nothing else, not the phone records, SMS, logs from all other apps and Lord knows what else.

        Complete nonsense. Every single example you've given is a separate permission in Android. Call logs are separate from calling permissions are separate from media storage are separate from SMS logs are separate from SMS sending permissions. In older versions you had to accept all the permissions an app requested in order to install it but the last few major versions have included the option to selectively bar each app from each permission category.

        Not that I'm defending Facebook, or suggesting their app isn't malware, but you need to get your facts straight before you start pontificating about how to fix things. The issue here is that Facebook made yet another monolithic grab for data and turned out the usual shit apology when they got caught.

        1. Tom 38

          Re: Oh Sorreee! Sorree!

          I dunno, its not complete nonsense (apart from OP's examples). A better example would be Whatsapp. If I want to share media I've taken with people through Whatsapp, then I must grant Whatsapp the "Storage" permission. This doesn't give Whatsapp permission to read my media, and write received media to a particular folder, it gives it permission to create, read, update and destroy any user file in any location.

          Effectively, if you want to be able to share media, you also have to open all your data to the app in question and trust that it won't look in other places.

          1. Anonymous Coward
            Anonymous Coward

            Re: Oh Sorreee! Sorree!

            "Effectively, if you want to be able to share media, you also have to open all your data to the app in question and trust that it won't look in other places."

            Check phone. Access to Storage off.

            Opens WhatsApp.

            Opens gallery, and there are the photos.

            Hint: Deny all on installation and then allow what you want when it requests it.

      2. Robert Helpmann??
        Big Brother

        Re: Oh Sorreee! Sorree!

        The next logical step for FB is to develop and distribute their own phones. They could give them out for "free" all over the world, just like they do with their app.

        Icon for obvious reasons.

    3. JetSetJim
      Windows

      Re: Oh Sorreee! Sorree!

      I fail to understand why it even needs an app - it's just a view into the web pages. The only thing FB won't let work in the mobile web page is messenger, which is no great loss to me, but equally I bet could still be done in a mobile web page. The only reason for the app is to slurp your data, so I didn't bother installing it.

  2. Mark 85

    It's probably hubris on FB's part. Zuck got away with what he did in front of Congress and I do believe he really thinks he's doing nothing "wrong". FB scares me more than any other company for the level of invasiveness. Ok... Google is a close second this week.

    1. Anonymous Coward
      Anonymous Coward

      More Google revelations this week

      Google’s Selfish Ledger is an unsettling vision of Silicon Valley social engineering:

      https://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

  3. GIRZiM

    Does anyone manufacture Mark Zuckerberg masks?

    They'd be ideal for Halloween and (especially) Guy Fawkes Night.

    1. Fruit and Nutcase Silver badge
      Jobs Horns

      Re: Does anyone manufacture Mark Zuckerberg masks?

      Time for a Zuckerberg version of -->

      ?

  4. JassMan
    Trollface

    Presumably with superuser access

    FB can not only read your whitelists and blacklist but also change them. This has the wonderful advantage for FB that they can whitelist any site which says how wonderful they are and blacklist sites such the old faithful ElReg who sometimes point out small failings of FB (which are of course total lies in the eyes of FZ***erberg). Of course since the users have willingly granted this access without reading the Ts&Cs, FB is only giving the users what they want.

    1. Danny 14

      Re: Presumably with superuser access

      hence why using the facebook app is madness. just use the web version if you need facebook.

      1. Joe Harrison

        Re: Presumably with superuser access

        Easier said than done after they recently changed Facebook mobile browser access to disallow messaging. Also it will nag the hell out of you all the time "why haven't you installed the app", "this would work much better if you installed the app", etc, ad nauseam.

    2. IsJustabloke
      Facepalm

      Re: Presumably with superuser access

      "without reading the Ts&Cs,"

      Whereas you read every last line of every single T&Cs you are presented with

      1. Anonymous Coward
        Anonymous Coward

        Re: Presumably with superuser access

        Whereas you read every last line of every single T&Cs you are presented with

        He might not, but I do - even better, I understand what it actually says. That's why I refuse to use Google too.

  5. Anonymous Coward
    Anonymous Coward

    Facebook Crimes & Lies Chapter-2

    .....'May not have been intentional.'....

    So with everything we now know... Up to 2 Billion slurped, of which 87m are guaranteed. Plus, Zuk lying to congress for 10 hours straight and denying Shadow Profiles, or Offline-Tracking of Users / Non-Users. Surely this is an intentional landgrab... Last 'big-slurp' before GDPR / looming US regulation?

  6. John Crisp

    Slurp on

    Just wondering how the forced acceptance of apps data slurping is going to stand up to GDPR.

    Noticeable all the leading contenders are forcing you to accept their terms, or else.

    I thought consent to give away your data had to be 'freely given' and not coerced (and what about all your contacts data that gets slurped too?)

    Looking forward to some interesting case law....

    1. Danny 14

      Re: Slurp on

      it doesnt. their stance is sign away your data of no service. Thats not gdpr compliant.

    2. Lord Elpuss Silver badge

      Re: Slurp on

      AFAIK, GDPR explicitly forbids service in return for personal data, unless that personal data is necessary for providing the service.

      So saying "If you want us to send you a some crappy copy/paste on what the name of your firstborn child allegedly means, please enter their name and your email below" is OK, whereas "In order to send cat videos to your mates, please enter the name of your firstborn child and your email below" is not ok.

      GDPR also says that data must only be used for the purpose(s) for which consent has specifically been given, and must be destroyed when it is no longer needed for that purpose. So once you've sent your email saying 'The name 'Fartboy' has its origins in Middle-eastern heraldic runes dating from 1297' etc, you are required to destroy your copy of the data. burying some text in the privacy agreement saying you reserve the right to keep it forever and/or mail it to relevant marketing companies who will send you spam is absolutely NOT ok.

      Additionally: you have the right to request what data a company has on you, who they've given it to, and exactly what they will be using it for. If you don't like it, you can demand it's deletion/destruction, and the company you gave it to is required to (a) do it within 1 month, and (b) make sure anybody else they've given it to also destroys it within 1 month.

      GDPR is A GOOD THING. More than a few parasitic marketing companies will be sh*tting themselves roundabout now.

  7. BlueTemplar

    Did you knew ?

    40% of Google Play apps are sending data to Facebook !

    https://thenextweb.com/facebook/2018/03/26/facebook-tracking-present-41-popular-android-apps/

    1. JohnFen

      Re: Did you knew ?

      Yep.

      Apps are toxic, which is why I keep mine to a minimum and I firewall everything off so that nothing gets to send data from my phone without my express permission.

    2. Anonymous Coward
      Anonymous Coward

      Re: Did you knew ?

      What data? Data from their own app sandboxes? Like how often you play the particular app and how many IAP you made?

      Let's be clear here, it's not sending data from your phone, Android security model clearly prevents this, the only data of could send is data from within the apps own sandbox.

      1. skalamanga

        Re: Did you knew ?

        Personal data available to that sandbox depends on what privelidges you granted it, like, maybe it requested access to your contacts, or maybe superuser access...

        1. Danny 14

          Re: Did you knew ?

          or pictures for screenshots. contacts to invite friends. email address for account purposes. etc etc

        2. Anonymous Coward
          Anonymous Coward

          Re: Did you knew ?

          If you rooted your phone, you obviously have to regard for privacy or security, as clearly rooting a phone opens up a whole world of hurt, and breaks trust chain (do you trust whatever exploit you used to root to not have delivered bonus features?)

          Granting farmville game access to your contacts and then wondering why Facebook has your contacts, that's a pretty dumb thing to do, and perhaps modern technology isn't for you, if you don't understand basic questions and their consequences.

          Let's not forget iOS never has proper sandboxes, and for years apps were slurping contact data without needing to grant ANY permission whatsoever...

          https://thenextweb.com/insider/2012/02/15/what-ios-apps-are-grabbing-your-data-why-they-do-it-and-what-should-be-done/

        3. Jamie Jones Silver badge

          Re: Did you knew ?

          Additionally, there are major problems due to the retarded use of FAT for external sdcard access (they are attempting to tighten it down with emulated filesystem layers hacks these days) [presumably so you can shove your card straight into your pc - despite MTP (https://en.wikipedia.org/wiki/Media_Transfer_Protocol being available ]

          An app may legitimately ask for "media/sd/external storage access" to store large amount of details, but granting it gives full access (read write) to the whole card, as there are no file-ownership attributes - that includes all apps that may use it for storage and code - all your videos, pics, etc.etc. -- everything).

          Some of the other permissions are actually quite lax too (like facebook, appeasing the developer not protecting the consumer, and assuming developers will play nice)

        4. Anonymous Coward
          Anonymous Coward

          Re: Did you knew ?

          "maybe it requested access to your contacts, or maybe superuser access..."

          Lol, you really don't understand the Android security model do you?

          Superuser is not an Android app permission....

      2. Jamie Jones Silver badge

        Re: Did you knew ?

        The android sandbox is rather leaky. Even with *no additional privileges* it is allowed network access, and general "world" rights on the Linux sub-system.

        For instance, you can be uniquely tracked (Mac address), located (wifi-location services via arp lookup of AP mac address), sites you connect to (netstat), os version/patch level/hardware info (uname, etc,) - and all sorts of other stuff.

        Imagine if you were running linux on your home desktop - what could an application do with a 'guest login' shell, and the ability to phone home? - there's the problem - that's what an android app has.

        1. Anonymous Coward
          Anonymous Coward

          Re: Did you knew ?

          Utter nonsense....

          https://stackoverflow.com/a/11705949

          Before Android 6.0 you needed a permission, since then, it's no longer available...

          Congratulations, you get my fail of the week.

          1. Jamie Jones Silver badge

            Re: Did you knew ?

            Utter nonsense....

            https://stackoverflow.com/a/11705949

            Before Android 6.0 you needed a permission, since then, it's no longer available...

            Congratulations, you get my fail of the week.

            Hey Mr anon. A quick tip:

            People often make mistakes - we are after all, human.

            However, if you are going to call somones post out as "utter nonsense" or accuse them of being your "fail of the week", you better be bloody sure you are correct.

            You aren't.

            So, in the spirit of your condescending reply, I respond:

            My post is true, not nonsense.

            Unlike you, "anon", my post was based on personal investigation, not on "what someone else says".

            Unlike you, "anon", if I'm going to dispute what someone says, I'm not arrogant enough that I don't check my facts first.

            Try it yourself:

            Create an app, with NO PRIVILEGES - then read the text file /proc/net/arp

            To help you out, I just modified an apk for you to test it yourself: http://www.jamielandegjones.com/android/get-mac-without-privs.apk

            Now, normally you wouldn't sideload an unknown app from "random internet poster", right? But, as you are so confident of the android security model, you'll have no problem installing this - it clearly requests no privileges.

            Fire it up. It's a terminal emulator, installed with zero permissions.

            Now type:

            cat /proc/net/arp

            This works up to android 5 at least, and I suspect it works on 6 and maybe even 7 - access to proc was restricted in 7 or maybe 8, but I haven't had a chance to test it to see how thorough the restriction is.

            Whilst here, use that app to have a good old nose around, install some homemade c executables to test ioctl and other calls.

            You'll be surprised at what you see.

            So, in summary, the utter nonsense is your reply. How's that "fail of the week" going now?

            1. Jamie Jones Silver badge

              Re: Did you knew ?

              I forgot to mention: Whilst "cat /proc/net/arp" will give you the mac of the router, to find your own mac, again, WITHOUT any special privileges, open a socket to AF_NETLINK, or from the command line:

              iplink

              If that doesn't exist, download a "busybox" binary, and type "busybox iplink"

              So there you have it: MACs of both the router and your own device. - without permissions - at least as far as Lollipop.

              As I said, look at android from a Linux point of view, rather than from an android point of view - you'll be surprised.

      3. JohnFen

        Re: Did you knew ?

        "What data? Data from their own app sandboxes? Like how often you play the particular app and how many IAP you made?"

        IAP? Do you mean in-app purchases? That would be an understandable data exchange, for obvious reasons, but I never engage in in-app purchases.

        Aside from that, yes -- app-related data, as well as whatever personal data the app requires access to (address book, etc.). Unless the data is required in order to perform the function the app is designed to perform, no app should be sending any data from my devices.

  8. Anonymous Coward
    Anonymous Coward

    I know of a few apps in the past that do this, only to check for rooted devices, so they can deny use of the app on said rooted devices

    1. Charles 9

      And that number is growing. Puts you in a vice when you need a root-aware app (say for work) but don't really trust it's behind-the-beck behavior.

      1. Danny 14

        xposed does a reasonable job of being able to hide root.

        1. Charles 9

          But it can't hide the custom taint, especially with Marshmallow and up due to dm-verity being enforced at boot time. Some apps check for this as well as root, and IIRC it's strictly enforced from Nougat on. Plus Samsung devices have that Knox fuse.

      2. Anonymous Coward
        Anonymous Coward

        re: root-aware app (say for work)

        I've had the reverse ... work apps that refuse to work on a rooted phone. Rather put a crimp in our BYOD strategy, as most users had rooted phones.

        I've made an executive decision now that I won't root my phone - so no point installing apps that need it.

        1. JohnFen

          Re: re: root-aware app (say for work)

          "Rather put a crimp in our BYOD strategy"

          There is no way that I would ever allow my personal device to take part in the BYOD schemes I've seen -- they all require the installation of software that is far too invasive.

          So, if I need a smartphone for work, I just ask my employer to supply one, and I only use it for work-related purposes.

  9. Anonymous Coward
    Anonymous Coward

    "We do not need or want these permissions, and we have already fixed this issue. We apologize for any confusion,”

    But we're gonna take the data anyway via a different route ... one that won't ask for your permission this time.

  10. Anonymous Coward
    Anonymous Coward

    Evil by Design

    © The Tory Party 1979, Distribiuted under license.

    1. skalamanga

      Re: Evil by Design

      "Take from the honest, hard working lower classes, give to the freeloaders and criminals"

      - ©Labour, probably.

      1. Chris G

        Re: Evil by Design

        © The Tory Party 1979, Distribiuted under license.

        "Take from the honest, hard working lower classes, give to the freeloaders and criminals"

        - ©Labour, probably.

        The only real difference between the two above is the top one redistributes upwards mostly and the bottom one redistributes downwards mostly but both feather their own nests and the lot in the middle, the people who work for a living and generate the wealth are the resource from which the redistribution is made.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like