Thursday, August 14, 2014

On Going for the Gold: Issues with Mobile App Permissions

Or To Mobile Facebook or Not To Mobile Facebook: That is the Question

Recently, Facebook began forcing its smartphone app users to install an additional Messenger app in order to use its messaging service. This move has, yet again, put Facebook in the spotlight of public anger. Some were initially angry that they were being forced to install a bloated app that uses excessive space, battery, and data. But as Android users began installing the app, they were shown the required permissions for the app and became alarmed. The app requires permissions such as reading and sending SMS text messages, reading and modifying contacts, and knowing when the phone is in use, what number you are connected to, being able to dial numbers -- all without your approval -- and a whole host of other permissions as well. 

Facebook finally responded, explaining why Messenger needs some of these permissions. All required permissions were not explained, however. 

Is the Sky Really Falling?

Some big news papers such as USA Today began circulating "myths" of the Facebook Messenger app, downplaying the seriousness of Facebook's excessive permission grabbing on consumer smartphones. Even Snopes joined in an effort to placate the public.  They rightly point out that the Messenger app does not require any additional permissions beyond the base Facebook app. 

The conclusion that some are reaching as a result of media downplaying is that since the Facebook app requires excessive permissions, then the Messenger app is okay to require excessive permissions.  Is this a valid conclusion? Let's examine the actual permissions that the Facebook app requires to run on Android smartphones.

Above are the three screens from an Android smartphone for the permissions required by the Facebook app. That's a lot of permissions. 

Does Facebook really need to read your phone call log? Does it really need to read the content of your SMS text messages? You do remember the old text messaging that people did on phones before smartphones existed, right? Does Facebook need to read or modify the calendar on your device? Does it need to send email to people on your Google calendar invites without your knowledge? Does it need to change your Wi-Fi connection? Does it need to read or add accounts to your phone? Does it need to see what other apps are running? Really???? 

I'm sure that Mark Zuckerberg would argue that Facebook indeed does need all these permissions, and certainly if one's goal is to make Facebook be the center of your life and the interface through which you do all communications, then absolutely, Facebook needs all of those permissions. But do YOU want Facebook to have that level of access and control over your life?

Three reasons not to use the Facebook or Messenger Apps on your smartphone

1. Facebook's business is to sell advertising. YOU are the product. 

Currently, Facebook collects and uses anything and everything you post, like, comment on or share through their private messaging service to improve their targeted marketing. They really cannot be faulted for this: Users do not pay to use Facebook services, and Facebook has to make a profit. As long as users are aware of what Facebook is doing, they can simply choose to not share certain aspects of their lives via Facebook. So you choose to tell your best friend the exciting news about your pregnancy, that you haven't even shared with your parents, using SMS text messages rather than via the FBig-brother channel. End of story. Right?

Well, not so fast... 

Smartphones are quickly becoming the central integration point for all communications and services for an individual. People make dinner reservations, buy movie tickets, plan their travelarrange for a tow truck, do their banking, manage their health care, control their alarm systems, control their appliances and lights... you name it, they do it -- all from their smartphones.  Indeed, the days of the "land line" phone are limited. As cell phone plans now have unlimited toll free calling, many people are opting to rid themselves of the additional cost of home phones, which seldom ring for anything other than a phone solicitor. For these people, smartphone contacts include their entire set of friends, family, doctors, and those with whom they conduct business. And smartphones retain active logins to pretty much all these services plus email and social media. Smartphones are a gold mine. 

In fact, smartphones are such a gold mine that police have been searching them when they stop people for simple traffic violations. Because of the privacy issues associated with smartphones, the Supreme Court recently ruled that police may not search a person's smartphone without a court issued warrant

When you install a smartphone app (which is actual code) on your phone, and it requires permissions, such as those the Facebook app requires, that app has access to, well, the gold. So essentially you are giving the app access to that which the Supreme Court has ruled that law enforcement cannot get without a court order.

So ask yourself, do you really want to give Facebook access to your gold? You might say, "They wouldn't misuse their privilege", which leads me to my next point.

2. Facebook cannot be trusted to act ethically. 

Facebook recently was found to have collaborated with Cornell University to conduct a social experiment on its users without their knowledge or express consent. They published results of the study entitled "Experimental evidence of massive-scale emotional contagion through social networksin the Proceedings of the National Academy of Sciences. The nature of the experiment is one which, for research conducted by any reputable research organization, requires approval by an Institutional Review Board (IRB). Such approval was neither sought nor received.  

The Department of Homeland Security's Science and Technology Cyber Security Division funded and published the 2012 Menlo Report, which discusses ethics in conducting these kinds of online experiments. In section C.2.1, the report states,

"Informed consent is a process during which the researcher accurately describes the project and its risks to subjects and they accept the risks and agree to participate or decline. Subjects must be free to withdraw from research participation without negative consequences. "

Indeed, the irony that Facebook's home is in Menlo Park is astounding.

So how was this justified? Facebook claimed that in order to have an account with them, users had to agree to their usage policy, and that the policy authorized the experiment. They specifically cited the following part of their policy.

“[I]n addition to helping people see and find things that you do and share, we may use the information we receive about you…for internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

In essence, Facebook claims that every single user agreed to be a lab rat simply by creating an account with them, an act which required acceptance of their usage policy. This recent revelation has raised all kinds of questions about the ethics of the Facebook company.  

Why is this relevant to mobile app permissions? If Facebook interpreted their usage policy to include coverage of social experiments without the user's knowledge or consent, then how can they be trusted to not interpret the installation of the Facebook app as covering the mining of information from user phones? After all, when you installed that app, you agreed to give it the permissions it requested.

But... why in the world would they want to access to all your "gold"? Remember: YOU are the product. What better way to have the world's best marketing engine than to be able to use personal data mined from user smartphones to refine one's advertising targeting engine. One day you're calling Joe's Deck Repair on your phone, and the next thing you know, ads for Joe's competitors are popping up in your news feed. Oh, and remember that pregnancy secret that you shared with your best friend via SMS text? Pampers and Similac have your number... 

3. Widely used software attracts hackers. 

Maybe you don't care if Facebook spams you with ads based on information they mine from your phone, outside the actual Facebook service. Or... even if Facebook could be trusted to act ethically, the same trust simply cannot be extended to hackers. 

Pay special attention here. This is IMPORTANT. The permissions that the Facebook app requires are the exact permissions that hackers want on your phone. By installing a widely used app that has so much privilege on your phone, you have made yourself a big, fat target. Once an attacker gets control of the app, he has the same privilege as the app on your phone.

"But I'm a nobody. No hacker would come after me." Oh really? Have you heard of identity theft? The Infosec Institute published an article about cyber crime against the financial industry, which included a discussion about malware placed on bank customer smartphones via an app in the Google play store.  Be very careful about what you install.

Should I really be concerned about Messenger then?

Back to the question I first asked: Is it a valid conclusion that since the Facebook app requires excessive permissions, then the Messenger app is okay to require excessive permissions and that I should not be concerned? Absolutely, unequivocally no.  The truth is, you should be concerned about both

You also need to consider that other social media apps require some pretty outrageous permissions too. This is not a "Facebook Only" problem. Are you willing to grant gold access to these app providers? 

So what do I do now?

Should I get off Facebook and/or social media entirely? That's up to you. I'm not, but I will not use any social media smartphone apps. Using Facebook on a PC or laptop does have risk, but it's a very different kind of risk than that posed by excessive app permissions. Every person must evaluate and decide the level of risk he or she is willing to take. 

Ask yourself if you really need to be plugged in to social media 24x7. For those who really feel the need to use Facebook, Twitter, or other social media on their smartphones, here is an alternate way of doing it that grants less privilege to the service and hence, supports less features.

ATTENTION Android Users: Did you know you that you really don't need special apps to use social media on your smartphone? That's right. There is a way to do social media on your phone without installing a bunch of battery draining, privacy violating apps. Enter Google Chrome. Simply point the browser on your phone to the social media site of your choice and log in. Next, create a bookmark to the site. Finally, add the bookmark to your home screen using the "Add to homescreen" option within Chrome. The bookmark will show up as an icon that you can move around just like any other icon. Simply tap the icon to be taken to the social media site.

This method works for really any social media that works via a web browser on your PC. I've tested it with Facebook, Twitter, and Google+, and each works seamlessly. The main capability you lose is being automatically notified of posts or messages. That's a small price to pay that will actually save battery and data usage on your phone. If you really want to be notified, Facebook can be configured to send email notices when posts are made or messages sent. Personally, I don't need to be THAT plugged in. 

BEFORE DOING THIS, you should review the permissions that Chrome requires and make sure you are comfortable with those permissions. Chrome also requires camera and microphone access, but at least it doesn't access your phone, contacts, calendar and email. The above described access method likely works with other browsers as well, and you may find a browser that is even more restricted than Chrome.


Organizations that downplay the seriousness of this matter are doing the public a gross mis-service by giving the impression that app permission grabbing is nothing to be concerned about. Further, they are missing a real opportunity to educate the public. Their behavior is, quite frankly, irresponsible.

The whole approach to granting all permissions on a promise to use them minimally flies in the face of cyber security best practices, which edict role based separation and least privilege operation.  To help with that, Google needs to change the Android app permission model to allow even more fine grained permissions. Developers need to allow users to pick and choose which app features they want to use, based on permissions each feature requires, and Android needs to enforce the subset of permissions required. Facebook has the opportunity to lead the way by separating the Messenger capability completely out of the Facebook app and reducing the privileges required for each to just the subset needed for each app's purpose. Will they? We can only hope. We need leaders in the high tech industry who are committed to public safety over the almighty dollar. 

Finally, we should thank Facebook for bringing this matter of app permissions to light, as they aren't the only ones doing this. When installing apps on your smartphone, don't just click through the permissions. Look at each and ask yourself if you really want to give to give your gold to that app.

No comments:

Post a Comment