Norton: Android app skips consent, gives Facebook servers user phone numbers

Norton: Android app skips consent, gives Facebook servers user phone numbers

Summary: Norton published findings that Facebook's Android app has sent millions of people's phone numbers to its servers upon launch, without users even logging into the app. UPDATED.

TOPICS: Security, Malware

Yesterday Norton updated its post about its findings in Facebook's official Android app, wherein Facebook confirmed that its app has sent millions of Android users' phone numbers to be stored on Facebook's servers when the app is launched.

The app's action of launch/send does not require users to log in, so user consent is impossible, and the app's phone number-to-Facebook-server mechanism occurs whether or not the person launching the app has a Facebook account.


Facebook told Norton that all phone numbers obtained in this manner through its app have been deleted from Facebook's servers.

Symantec's Norton published updated findings that show Facebook has been uploading phone numbers to its servers via its Android app in Norton Mobile Insight Discovers Facebook Privacy Leak:

The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks. 

Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen. 

According to Google Play, hundreds of millions of devices have installed the Facebook application and a significant portion of those devices are likely affected.

When Facebook confirmed the issue to Norton, the social media giant said it would 'provide a fix' in the next Facebook for Android update.

The Facebook Android app was updated in the Google Play store yesterday - however, the app page does not say what was new in the update.

ZDNet is finding out if the issue has been fixed and we have asked Facebook when Android users can expect the app to be changed, and we will update this article with information from Facebook as soon as we find out. 

It is unknown at this time how long the application has been performing this function, but as of this writing the Facebook for Android app has been downloaded 7,408,431 times from the Google Play store.

Facebook: Behaving badly, or dangerously incompetent?

Problematically, many Android phones come with the application pre-installed and in many instances the app takes a degree of technical skill to remove. The app only needs to be launched accidentally to send the Android user's phone number to Facebook's servers.

At this time, Facebook has not claimed this issue as an accident. 

To the knowledgable bystander, combined with the app's other mechanisms, it's impossible not to consider the opinion that the app is acting like spyware.

In this scenario - in my opinion - Facebook appears as if it could be acting like a command and control server; their servers control Facebook app users' phones.

The other app permissions for Facebook's Android app are equally worrying, and help us understand what is going into our shadow profiles.

For the official Facebook app to run on an Android phone, "Facebook needs access to" a number of functions that seem antithetical to user privacy.

Update: as we can see with the screencap below, Facebook's official Android app has permission to record your audio at any time without notifying you:

facebook audio surveillance


In Read Battery, Facebook obtains detailed information about which apps you use.

In Camera, this permission allows the app to use the camera at any time without your confirmation.

In Phone Calls the app can determine the phone number and device ID, whether a call is active, and the remote number connected by a call.

In Social Info, your agreement to use the app "allows the app to modify data about your contacts, frequency you've called, emailed or communicated in other ways with specific contacts. This permission allows apps to delete contact data."

The Facebook for Android app also "reads your phone's call log, including data about incoming and outgoing call and allows app to read data about your contacts stored on your phone including the frequency with which you've called, emailed or communicated in other ways with specific individuals."

Under Network Communication it states the app can "download files without notification."

With actions that could characterize the Facebook for Android app as PII stealing malware, or like an overt pseudo-FinFisher spying tool, it's like Facebook has turned your phone into a perfect little spy device.

Update: A screencap of Facebook's official Android app showing Facebook can capture images at any time without notifying you:

facebook visual surveillance


Norton wrote,

We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers. 

Facebook user or not, with no way of knowing technical details about removing our information, we are held captive to Facebook's word.

Last week Facebook re-entered the data privacy spotlight when a data leak exposed the contact information of six million users when its 'download history' tool accidentally combined user information with Facebook's shadow profile contact information in the history reports. 

The data had been exposed in this manner for at least a year. Users were angry and alarmed that contact information they had explicitly not provided to Facebook has been collected via people they know (from friend's address books), saved and cross-matched in the background.

On the same day Norton first discovered the Facebook Android app issue, the security researchers who told Facebook about the shadow profile data leak wrote a post revealing that the issue affected people who do not use Facebook - non-users are also having their data collected into shadow profiles.

Packet Storm Security wrote its post "Math of the Aftermath" in frustration that Facebook had mislead its users in the email sent to tell users about the data leak saying, 

In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.

For another individual, they only told him about 3 out of 7 pieces of data were disclosed.

It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.

ZDNet's first article about the data leak and user anger about shadow profiling drew questions about where Facebook was harvesting the data it obtained circumventing direct user consent.

Security experts suggested in comments and on Twitter that the source would likely be Facebook's Android app.

Facebook's spokesperson told ZDNet last Sunday via email in its responses to Anger mounts after Facebook's 'shadow profiles' leak in bug:

(...) this data was never scraped from anywhere but provided by users as I mention above and no app or contact database tool was used. 

Norton closed its post cautioning us,

Unfortunately, the Facebook application is not the only application leaking private data or even the worst.

Which is extremely good to know.

But in light of recent revelations about Facebook's shadow profile collection and storage activities - where data you don't voluntarily give to Facebook is taken by Facebook from other users that know you and matched to a secret profile Facebook keeps on you, we're loathe to dismiss Facebook's activities with its Android app simply by saying that Facebook "isn't the only one" or "other apps are worse."

Needless to say, for whoever can get their hands on them, Facebook's shadow profiles are a genuine and dangerous gold mine.

ZDNet is in contact with Facebook and will update this article with statements, updates or corrections as they come in.

Edit: Saturday June 29, 4:30 PM: Facebook PR claimed yesterday it would respond to ZDNet requests for when the app would be fixed but we still have no statement from Facebook, nor has Norton updated its post with new information. Unfortunately we must assume the app continues to perform its privacy violating fucntion until notified otherwise.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Never never never will I use Facebook

    This makes that shadow profile thing even worse.

    And the only way to get Facebook to delete everything about you is to sign up for Facebook.
    • Is FB lack of respect for our privacy grounds for Class Action?

      FB security and spyware problem. Does anyone know if there are grounds in which we can gain our privacy back from FB?

      FB has gone to far, and there is a reason why I dont use it. And tell everyone I know, they should close their FB accounts.

      If you value your privacy, stay away from FB!!!
      • The big problem is not so much not using Facebook,

        because even those of us who do not use FB may have a "shadow profile" on FB servers if anyone that you may be in contact with that uses this Facebook app has had their contact list "stolen" without their knowledge. Facebook has flaunted privacy concerns as we well know, but to build profiles on people that do NOT use their service...well, I can't say the term that comes to mind at the moment!
        • Still does anyone know if we can sue FB

          What they are doing is gathering information without a users consent.

          That they collect on those foolish enough to use FB is one thing. To gather information on third parties is just not right.

          Not to ask for your consent is wrong as well.

          We should gather up and make sure everyone knows FB should NOT BE USED by anyone.
          • At play store we should be able to filter apps on permissions

            That way we can weed out all the unnecessary apps that us unwanted permission.

            The best option is to allow users to only select what permissions they would allow and block all apps that dont meet that criteria from searches.

            This would avoid users from getting ANY unwanted apps.

            And FB would not even show up then.
          • Who would we complain to?

            Would anyone listen? Maybe it's just my perception, but it seems a majority of people are too busy WITH FACEBOOK to even give an audience to someone with a complaint! I've preached, talked, explained and even cursed, but still friends and family spend hours on FB. It's pretty darned sad when the quickest way to contact someone is on FB rather than just call their phone number.
      • Another idea...

        Disinformation. I can control what FB and the Government thinks they know about me by what I decide to post. I can control what they think they know about me by using FB to make public what I want.
        Also, Facebook is the largest networking tool in the world. If I want my band's music, or my novels to see the light of day, I need only to build my fanbase there. It has its uses.
        Why does nobody complain about Google Chrome or FireFox or IE, or Safari or Opera, when they back up your browsing history so that you can access it from any computer? That's right, you can look something up on your phone or tablet, then jump on your laptop and go back to that page, because the history is saved in the cloud.
        That's far more telling than saying, "I went fishing with dad and caught a few perch and a catfish," on facebook. Yet people only gripe about FB, and not your browsers' history caching. Sure, you can delete it locally but... you've already surfed. You're already guilty. The Government can use your IP to find you if they decide they don't like the fact that you wound up on a site that is being watched for terrorists or some such.
        If you TRULY value your privacy, lock yourself in a basement with no means of communicating with the world. Oh, and don't speak... Just in case, right? :)
        Kenneth Junior
  • here we go the android malware problem...

    Every 'android malware' is just this same scenario - trusting a company's app and giving it the permissions. Obviously nothing can prevent this misuse of trust except the user being educated and reading articles like this.
    • Except that ...

      ... Android was purchased and changed for the sole purpose of data mining. The was designed and given away in order to collect data from the users. The spyware is built-into the OS and Google doesn't give a cr@p about the privacy of the user.

      To Google, the user IS the product, not the customer.
      • Not so...

        Android was bought to begin the process of competing with Microsoft and Apple. Android devices have excellent controls for stopping this. The problem is the pre-installed app. However, you can turn off access to data on an application-by-application basis. The latest ZDNet mobile now wants user phone number data. Some apps need this but not ZDNet. Every app install gives you a warning of the data it is going to access including phone related data. If the app doesn't declare the access, and you don't grant it, it can't get it.
    • The user has just one responsibility...

      Yet somehow the iOS Facebook App doesn't do these things -- so maybe any user that cares about their privacy needs to make one correct choice -- stay the heck away from Android.
      Ted T.
  • Users Need To Be More Assertive In Demanding Explanations For Permissions

    Maybe Google could enhance its Play Store publication system to allow/encourage developers to give a brief explanation of what each permission the app needs is for.

    Third-party Android builds like CyanogenMod allow the user to block particular permissions from an app, even though it has declared it needs them in its manifest. This way, installing the app is not an all-or-nothing matter; you can still impose controls on what they can get away with.
    • To Google, the user IS the product, not the customer

      They don't give a cr@p about user privacy. All the care about is how much data they can collect and how much they can sell it for.

      Google purchased Android, modified the kernel to include as much spyware as they could cram into it and then gave it away in order to collect data from the users. The spyware is built into the OS .... ready to be use by whom ever pays Google for access to the APIs.
      • Re: modified the kernel to include as much spyware as they could cram into

        Please point to where in the kernel source is there any "spyware".
  • Another Chapter in the Facebook Saga

    Facebook and Zuckerberg have a long history of belligerent disregard for the privacy of their users.

    This is just another chapter in that saga and it won't be the last.

    It is hard to believe that this type of behaviour is not a criminal offence.

    Hopefully a social network with a bit more respect, like Diaspora, will eventually take off.
    A few friends a I already use it.

    It is amazing how hard it is to convince people, especially the technologically challenged, that Facebook owns them and that they should move on.
  • Behaving badly,

    Should that read, behaving bad, or bad behavior?
    • Facebook is just bad at privacy, go figure

      I cannot believe we are still amazed at Facebook's privacy issues. I don't think Facebook has ever been about privacy.
  • Facebook: Behaving badly, or dangerously incompetent?

    Rabid Howler Monkey
  • Symantic/Norton's analysis:

    "You need to buy our product."

    Shocker. Who would have guessed that would be the result of their analysis?
  • Glad I gave Facebook up

    Facebook is certainly not concerned about anyone's privacy. How many mess ups to they have to do to prove this point?