Norton: Android app skips consent, gives Facebook servers user phone numbers
Yesterday Norton updated its post about its findings in Facebook's official Android app, wherein Facebook confirmed that its app has sent millions of Android users' phone numbers to be stored on Facebook's servers when the app is launched.
The app's action of launch/send does not require users to log in, so user consent is impossible, and the app's phone number-to-Facebook-server mechanism occurs whether or not the person launching the app has a Facebook account.
Facebook told Norton that all phone numbers obtained in this manner through its app have been deleted from Facebook's servers.
Symantec's Norton published updated findings that show Facebook has been uploading phone numbers to its servers via its Android app in Norton Mobile Insight Discovers Facebook Privacy Leak:
The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks.
Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.
According to Google Play, hundreds of millions of devices have installed the Facebook application and a significant portion of those devices are likely affected.
When Facebook confirmed the issue to Norton, the social media giant said it would 'provide a fix' in the next Facebook for Android update.
The Facebook Android app was updated in the Google Play store yesterday - however, the app page does not say what was new in the update.
ZDNet is finding out if the issue has been fixed and we have asked Facebook when Android users can expect the app to be changed, and we will update this article with information from Facebook as soon as we find out.
It is unknown at this time how long the application has been performing this function, but as of this writing the Facebook for Android app has been downloaded 7,408,431 times from the Google Play store.
Facebook: Behaving badly, or dangerously incompetent?
Problematically, many Android phones come with the application pre-installed and in many instances the app takes a degree of technical skill to remove. The app only needs to be launched accidentally to send the Android user's phone number to Facebook's servers.
At this time, Facebook has not claimed this issue as an accident.
To the knowledgable bystander, combined with the app's other mechanisms, it's impossible not to consider the opinion that the app is acting like spyware.
In this scenario - in my opinion - Facebook appears as if it could be acting like a command and control server; their servers control Facebook app users' phones.
The other app permissions for Facebook's Android app are equally worrying, and help us understand what is going into our shadow profiles.
For the official Facebook app to run on an Android phone, "Facebook needs access to" a number of functions that seem antithetical to user privacy.
Update: as we can see with the screencap below, Facebook's official Android app has permission to record your audio at any time without notifying you:
In Read Battery, Facebook obtains detailed information about which apps you use.
In Camera, this permission allows the app to use the camera at any time without your confirmation.
In Phone Calls the app can determine the phone number and device ID, whether a call is active, and the remote number connected by a call.
In Social Info, your agreement to use the app "allows the app to modify data about your contacts, frequency you've called, emailed or communicated in other ways with specific contacts. This permission allows apps to delete contact data."
The Facebook for Android app also "reads your phone's call log, including data about incoming and outgoing call and allows app to read data about your contacts stored on your phone including the frequency with which you've called, emailed or communicated in other ways with specific individuals."
Under Network Communication it states the app can "download files without notification."
With actions that could characterize the Facebook for Android app as PII stealing malware, or like an overt pseudo-FinFisher spying tool, it's like Facebook has turned your phone into a perfect little spy device.
Update: A screencap of Facebook's official Android app showing Facebook can capture images at any time without notifying you:
Norton wrote,
We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers.
Facebook user or not, with no way of knowing technical details about removing our information, we are held captive to Facebook's word.
Last week Facebook re-entered the data privacy spotlight when a data leak exposed the contact information of six million users when its 'download history' tool accidentally combined user information with Facebook's shadow profile contact information in the history reports.
The data had been exposed in this manner for at least a year. Users were angry and alarmed that contact information they had explicitly not provided to Facebook has been collected via people they know (from friend's address books), saved and cross-matched in the background.
On the same day Norton first discovered the Facebook Android app issue, the security researchers who told Facebook about the shadow profile data leak wrote a post revealing that the issue affected people who do not use Facebook - non-users are also having their data collected into shadow profiles.
Packet Storm Security wrote its post "Math of the Aftermath" in frustration that Facebook had mislead its users in the email sent to tell users about the data leak saying,
In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed.
For another individual, they only told him about 3 out of 7 pieces of data were disclosed.
It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.
ZDNet's first article about the data leak and user anger about shadow profiling drew questions about where Facebook was harvesting the data it obtained circumventing direct user consent.
Security experts suggested in comments and on Twitter that the source would likely be Facebook's Android app.
Facebook's spokesperson told ZDNet last Sunday via email in its responses to Anger mounts after Facebook's 'shadow profiles' leak in bug:
(...) this data was never scraped from anywhere but provided by users as I mention above and no app or contact database tool was used.
@WeldPond @tufts_cs_mchow @violetblue move fast and break things ... apparently applies to trust too.
— the grugq (@thegrugq) June 28, 2013
Norton closed its post cautioning us,
Unfortunately, the Facebook application is not the only application leaking private data or even the worst.
Which is extremely good to know.
But in light of recent revelations about Facebook's shadow profile collection and storage activities - where data you don't voluntarily give to Facebook is taken by Facebook from other users that know you and matched to a secret profile Facebook keeps on you, we're loathe to dismiss Facebook's activities with its Android app simply by saying that Facebook "isn't the only one" or "other apps are worse."
Needless to say, for whoever can get their hands on them, Facebook's shadow profiles are a genuine and dangerous gold mine.
ZDNet is in contact with Facebook and will update this article with statements, updates or corrections as they come in.
Edit: Saturday June 29, 4:30 PM: Facebook PR claimed yesterday it would respond to ZDNet requests for when the app would be fixed but we still have no statement from Facebook, nor has Norton updated its post with new information. Unfortunately we must assume the app continues to perform its privacy violating fucntion until notified otherwise.