Messenger app users worry how Facebook uses a device's phone, camera

Facebook ignited a flood of criticism last week when it began requiring mobile users to load its Messenger app for Android and iOS separate from its basic Facebook app.

Some users complained about having to use the separate app to send messages, photos or videos to their friends. Other users were concerned that the Messenger app stinks of Orwellian 1984-style invasions of privacy.

Messenger app permission page on Android

A permissions page when loading the Messenger app on a Galaxy S5 Sport smartphone includes a popup warning that the app is allowed to use the camera at any time without the user's confirmation. (Image: Screenshot)

Concerned users claim the app could give Facebook the use of their phones and tablets to take photos and to make phone calls without their specific approval. "Beware!" wrote user Rasikh J on Saturday in a review of the app in the Google Play store. On Thursday, a user identified as G Kay wrote in the iOS App Store about the app: "What Facebook can do through this app scares the crap out of me...They can access my microphone, camera and contacts.''

The truth of how the Messenger app uses a device's phone and camera is apparently far less insidious than many have thought, according to Facebook.

Facebook said that the "permissions" language used in the Google Play Store to describe how Messenger functions with a user's phone or camera was written by Android officials, not Facebook, to describe a large array of apps, not just Messenger.

While the Messenger app is basically the same app as in iOS, there are no blanket permissions laid out for iOS users as there are for permissions at the start-up of the Android-based Messenger app. As a result, the privacy dangers many users are concerned about aren't as easily evident in the iOS version, although some iPhone users are still concerned about privacy breaches.

Facebook noted in an email to Computerworld that the Android permissions language for a wide range of apps was recently updated. Google verified that a permissions language update occurred in May as part of an attempt to make permissions easier for users to understand. A perusal of the updated changes reveals that most of the new Android language for the Messenger app is considerably broader and more vague than when first described in a Huffington Post blog last December.

Facebook posted a statement to users on Aug. 6 that attempts to clarify how the Messenger app will use five functions of a phone or tablet for taking photos, making calls and more. "Keep in in mind that Android controls the way the permissions are named, and the way they're named doesn't necessarily reflect the way the Messenger app and other apps use them," Facebook said.

Here's how Facebook says its Messenger app uses various device functions, with the bold portion the actual permission that Android requests followed by how Messenger describes its use of each function:

Take pictures and videos: This permission allows you to take photos and videos within the Messenger app to easily send to your friends and other contacts

Record audio: This permission allows you to send voice messages, make free voice calls, and send videos within Messenger

Directly call phone numbers: This permission allows you to call a Messenger contact by tapping on the person's phone number, found in a menu within your message thread with the person

Receive text messages (SMS): If you add a phone number to your Messenger account, this allows you to confirm your phone number by finding the confirmation code that we send via text message

Read your contacts: This permission allows you to add your phone contacts as Messenger contacts if you choose to do so. You can always stop syncing your phone contacts by going to your Messenger settings

Facebook's latest descriptions are vastly different from how Messenger uses the camera and phone than how the Android permissions were described for Messenger in December. At the time, the permissions were reported by the Huffington Post as "allowing the app to call phone numbers without your invention" and allowing the app "to take pictures and videos with the any time without your confirmation."

Facebook told Computerworld that the Android OS controls how the permissions are worded and its language won't necessarily reflect the way each app uses them.

Android users at any time can call up an app in the Play Store and scroll down to "permissions" to click on "view details" to learn more. For this information on the Messenger app, the Android permissions listed don't even mention the phone or camera and now only refer to "find accounts on the device," "read your own contact card," "read your contacts" and find your approximate and precise location.

Computerworld on Monday loaded the Messenger app onto a review unit of the new Samsung Galaxy S Sport that was supplied by Sprint and received a number of permissions that seemed at times to revert to the more draconian privacy warnings of December. For the camera, the permission (in a pop-up) said, "Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation." (see screenshot on previous page) For the phone, it simply said, "Uses one or more of phone, call log. Charges may apply."

For its part, Google said it does not allow developers, including Facebook or others, to adjust such permissions wording because permissions are designed only to address what an app will have access to. Exactly how an app uses the camera or phone is up to each developer and they are allowed to include links to their privacy policies on their app's Play Store listing page. It's there that developers can list how they plan to use the information, according to Google. Google also lays out the process that developers should follow in its Android Developers pages.

The concerns raised over Facebook Messenger privacy caused some analysts to wonder how exactly Messenger and other apps, such as Skype, Line and Snapchat, will use a person's phone or camera without their knowledge.

"I'm in a group that likes to protect my privacy, so I am very wary of clicking yes on permissions when I don't understand why they need permission," said Jack Gold, an analyst at J. Gold Associates. "With the camera, there may be a legitimate reason for the app to use the camera to scan a bar code or to scan a Passport as United Airlines does for international check-ins, but I'm still leery about doing so."

Gold agreed with Facebook that Android's general purpose permission wording is too vague about what the permission is for or what will be done. "Having access to the microphone for VoIP and chat sessions is fine, but having it monitor you surreptitiously is not," Gold added. He urged Google to have a more granular permission policy, but noted that Google and Android are making an attempt to define permissions when a user tries to download an app. With iOS, the permissions are often much more vague and general, he noted.

Ultimately, the Facebook Messenger privacy flap is another warning to app users to beware, but also to the mobile industry and developers to find ways to explain to users the permissions for many hundreds of thousands of apps.

"The app has to build a trusted partner relationship with the user," Gold said. "If you inherently trust the app maker, in this case Facebook, and are interested in using the app, then you'll likely click yes. But should you trust the app? If you don't click yes to permissions, then the app won't load. That's the dilemma users face, and it's all or nothing. Having granular permissions against what an app is actually doing is the next step in OS development."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFacebook

More about FacebookGalaxyMessengerSamsungSkypeSprintUnited AirlinesVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place