The Insidiousness of Facebook Messenger's Android MobileApp Permissions (Updated)� |� Sam Fiorella

Corrections/Updates (4:45pm EST 8/11/2014): A previous version of this post contained inaccurateand outdated information about Facebook's Messenger app for Android devices (Facebook hasprovided its own response to concerns about the app here). The post incorrectly equated the app'sTerms of Service to its Android-specific permissions language, and the permissions language itoriginally quoted has since been updated by Google. These changes are now reflected in the post.

How much access to your (and your friends') personal data are you prepared to share for access tofree mobile apps? I suspect the amount is significantly less than that which you actually agreed toshare when blindly accepting an app's Terms of Service or the default permissions required by agiven operating system for an app to function.

Case in point: Facebook's Messenger App, which boasts more than 200,000 million monthly users,requires you to allow access to an alarming amount of personal data and, even more startling, directcontrol over your mobile device. I'm willing to bet that few, if any, of those using Messenger onAndroid devices, for example, fully considered the permissions they were accepting when using theapp.

The Facebook Messenger app is a standalone version of the instant chat feature within the socialnetwork. In April 2014 Facebook announced that this service would no longer be available in themain app and that users would need to download the separate Messenger app for chat functionality.If you're using this app on an Android device, take a look at the permissions that may be governingits functionality (which you can do by going to Settings > Apps or Application Manager). Below is afull list of Android's current permissions groups (the following section has been updated to reflectthe current language listed at Support.Google.com; 8/11/2014):

In-app purchases

An app can ask you to make purchases inside the app.

Device & app history

An app can use one or more of the following:

Read sensitive log data

Retrieve system internal state

Read your web bookmarks and history

Retrieve running apps

Cellular data settings

An app can use settings that control your mobile data connection and potentially the data youreceive.

Identity

An app can use your account and/or profile information on your device.

Identity access may include the ability to:

Find accounts on the device

Read your own contact card (example: name and contactinformation)

Modify your own contact card

Add or remove accounts

Contacts/Calendar

An app can use your device's contacts and/or calendar information.

Contacts and calendar access may include the ability to:

Read your contacts

Modify your contacts

Read calendar events plus confidential information

Add or modify calendar events and send email to guests without owners' knowledge

Location

An app can use your device's location.

Location access may include:

Approximate location (network-based)

Precise location (GPS and network-based)

Access extra location provider commands

GPS access

SMS

An app can use your device's text messaging (SMS) and/or multimedia media messaging service(MMS). This group may include the ability to use text, picture, or video messages.

Note: Depending on your plan, you may be charged by your carrier for text or multimedia messages.SMS access may include the ability to:

Receive text messages (SMS)

Read your text messages (SMS or MMS)

Receive text messages (MMS, like a picture or video message)

Edit your text messages (SMS or MMS)

Send SMS messages; this may cost you money

Receive text messages (WAP)

Phone

An app can use your phone and/or its call history.

Note: Depending on your plan, you may be charged by your carrier for phone calls.

Phone access may include the ability to:

Directly call phone numbers; this may cost you money

Write call log (example: call history)

Read call log

Reroute outgoing calls

Modify phone state

Make calls without your intervention

Photos/Media/Files

An app can use files or data stored on your device.

Photos/Media/Files access may include the ability to:

Read the contents of your USB storage (example: SD card)

Modify or delete the contents of your USB storage

Format external storage

Mount or unmount external storage

Camera/Microphone

An app can use your device's camera and/or microphone.

Camera and microphone access may include the ability to:

Take pictures and videos

Record audio

Record video

Wi-Fi connection information

An app can access your device's Wi-Fi connection information, like if Wi-Fi is turned on and thename(s) of connected devices.

Wi-Fi connection information access may include the ability to:

Device ID & call information

An app can access your device ID(s), phone number, whether you're on the phone, and the numberconnected by a call.

Device ID & call information may include the ability to:

Read phone status and identity

Other

An app can use custom settings provided by your device manufacturer or application-specificpermissions.

Note: If an app adds a permission that is in the "Other" group, you'll always be asked to review thechange before downloading an update.

Other access may include the ability to:

Read your social stream (on some social networks

Write to your social stream (on some social networks)

Access subscribed feeds

When you review individual permissions, all permissions, including those not displayed in thepermissions screen, will be shown in the "Other" group.

The fact that social media and mobile apps are so insidious is nothing new, we all know (or shouldknow) that no app is truly free. "Free" online apps are paid for by the provision of personal data suchas name, location, browsing history, etc. In turn, mobile developers and social networks chargeadvertisers to serve up highly targeted ads to specific groups of people.

In a way, it pays to offer some personal information for a better experience with online ads, whichwe all hate so much. However, in the case of Messenger on Android, the attempt to collect so muchinformation and take control of one's device is unprecedented and, quite frankly, frightening. Thefact that so many people have agreed to these permissions is an alarming insight into the future ofmobile apps and personal security.

If this many people have not checked the permission groups that apply to Facebook Messenger (orhave read them and don't care), how emboldened will mobile developers be in the future? Iunderstand the nature of "free" mobile apps. I'm prepared to give up some personal data for theright to access a game, content, or social network for free and to have an improved advertisingexperience while enjoying that free service. However, the current situation goes too far. It's time westood up and said "no!"

Take the first step by deleting this app. Next, review the Terms of Service agreements orpermissions you've previously accepted without reading, and be sure you're comfortable with thecost of "free." The only way to curb this harmful trend is to take a stand. Read every online andmobile agreement before accepting and, where it goes too far, say no.

Will you say no?