Facebook Messenger Permissions: How worried should you be?
Last week the Internet exploded with people complaining about the security permissions required by the latest update to the Facebook Messenger app for Android. Now that some of the initial knee-jerk reaction has passed, is there anything you need to be worried about? And if so, how worried should you be?
Let’s dig into some background before we dive into that. Facebook is huge. It’s been just more than a decade since being founded, employs more than 7,000 people, and has over 1.28 billion active users. Add to the fact that we recently learned that Facebook has been “experimenting with the emotions of its users” and many might be rightly concerned over what Facebook is doing with all the personal information that we’re freely handing over.
Here in the States, Facebook is pretty big, but over in Europe, Facebook is one of the primary “go-to” apps when it comes to messaging. Regardless of where you live, the permissions that are being requested are the same. They’re broad, and they’re pretty scary.
Why a separate app?
Why does Facebook even need a separate app for messaging? The answer to this question partially answers the concerns raised over why Facebook Messenger needs the permissions that it does. Computer programmers are taught to break problems down into tasks, and tasks down into the smallest possible component. A complex task might be made up of dozens (or even hundreds) of smaller tasks. Separating these into their own discreet methods allows for apps to be more easily understood and maintained, and allows those methods to be reused in other parts of the app, reducing the need for redundant or duplicate code.
The core ideology is to do one thing, and do it extremely well. The Facebook app strays far, far away from that programming ideology. It’s a news reader and poster, an image viewer and poster, a people tagger, and, yes, an instant messenger (plus a whole lot more). By separating Messenger from the core Facebook app, Facebook is actually doing us a favor. Those who only use Facebook Messenger don’t have to deal with the bloat of the core app, and vice versa. Not only that, the permissions needed by one don’t have to be included in the other.
This diversification goes beyond good computer programming ideology. “What we’re doing with Creative Labs is basically unbundling the big blue app,” Facebook’s Zuckerberg told The New York Times last April. “I think on mobile, people want different things. In mobile there’s a big premium on creating single-purpose, first-class experiences.”
Facebook tried to do that by creating its very own, branded phone. It failed – miserably.
Facebook tried again by creating its own launcher and home screen. Again it failed. Again, miserably.
Now, however, splitting the functionality of its network into separate apps offers the people to install what they want, without the overhead of installing functionality they may not want.
Every app that runs on Android has to “declare” what access it needs in something called the “manifest”. If your app doesn’t ask for permission to access the camera, for example, your app simply cannot access the camera.
Prior to installing any app, the user is presented with a list of permissions that the app needs to run. At that point you have the opportunity to use your own best judgement and decide if that particular app should have access to those particular permissions. If you don’t think it does, simply cancel the installation and live without the app.
Some phones, like those running recent versions of CyanogenMod custom ROM and Blackphone, include modified permissions managers that let you toggle permissions on and off per app. This might mean the app can’t work properly, but your security is maintained.
An example of this was a barcode scanner that Michael Fisher tried to install on his Blackphone. When he ran the app it failed, telling him it could not access his camera. Why? Since Blackphone defaults to “super-secure”, the app wasn’t given permission to anything it asked for, and Michael forgot to give the app access to his camera. A quick change corrected that, but helps illustrate the point of permissions very well.
The new Facebook Messenger app asks for several permissions. Here’s Facebook’s explanation about why the app needs them:
- Take pictures and videos: This permission allows you to take photos and videos within the Facebook Messenger app to easily send to your friends and other contacts
- Record audio: This permission allows you to send voice messages, make free voice calls, and send videos within Facebook Messenger
- Directly call phone numbers: This permission allows you to call a Facebook Messenger contact by tapping on the person’s phone number, found in a menu within your message thread with the person
- Receive text messages (SMS): If you add a phone number to your Facebook Messenger account, this allows you to confirm your phone number by finding the confirmation code that we send via text message
- Read your contacts: This permission allows you to add your phone contacts as Facebook Messenger contacts if you choose to do so. You can always stop syncing your phone contacts by going to your Facebook Messenger settings
For a messaging app, those make sense, right?
Even still, it sure is giving up a lot of your security. That’s where your better judgement comes in to play. Do you know the company? Do you trust it with your information? Do the permissions the app is asking for seem appropriate for the type of app?
If you’re installing a Live Wallpaper from a developer you’ve never heard of before, you might be a bit hesitant to accept all those permissions. Why would a Live Wallpaper be able to take pictures and videos, record audio, read your contacts, call phone numbers, and receive text messages? To me, that seems insane.
Now, if that app were a replacement launcher that combined contacts and communications with app launching, perhaps those permissions are justified.
In the case of Facebook Messenger, of course the permissions are warranted. The real question is whether or not you trust Facebook with those permissions. If you do, then this is a big deal over nothing. If you don’t, then you should not have Facebook, Facebook Messenger, Instagram, or any other Facebook-related app on your smartphone or tablet.
While it may sound simple, it isn’t any more complicated than that.