While it’s not clear just why the app would do this, or what purpose it has for doing so, the Facebook app for Android is taking your phone number the first time you open it up. Without even logging in, the app takes your number and stores it on the Facebook servers. You don’t need a Facebook account, or even initiate an action within the app. Simply having it and opening it will allow the app to take your phone number.
Norton discovered this security flaw during routine testing they perform on apps for their Mobile Insight security app. According to Norton, their testing methods are sound:
Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior. Further, Mobile Insight will tell you exactly what risky behavior an application will perform and give you specific, relevant, and actionable information.Norton
Norton then reached out to Facebook, who claimed to be unaware of the issue. They told Norton they “did not use or process the phone numbers and have deleted them from their servers”, and said they had no knowledge of the issue. Norton also notes that Facebook is not the only app doing this, or even the worst offender. They promise more information on other culprits in coming weeks, but we’re still curious why Facebook would take numbers from a device that wasn’t even logged in. If I were to download the app, then open it to see what it looked like out of curiosity, my number would then be uploaded to the Facebook server.
We’re not ready to call Facebook nefarious on this account. Giving them the benefit of the doubt, even in the face of all their other security flaws, we’ll chalk this up to another error on their part. What this does do is bring into focus app permissions, and how important they are. Perhaps more importantly, how they can be abused by the app publisher, and ignored by users as fine-print.
Like this post? Share it!
God this is bothering me to death. The product name is Norton. Not the company name. The name of the company is Symantec. As an intern working with Symantec, I felt obliged to put forth this correction.
Facebook just love to invade privacy. Don’t worry this was no accident, and they probably shared this with the government before deleting. Fuck Zuckerberg.
My my. Facebook is a native app on my phone and I do not Facebook due to security threats I found YEARS ago. When I activated my phone, I did open the app. I then closed it, cleared all data, and disabled it.
So from this article I have learned that simply opening the app has given my phone number to Facebook. I’m disappointed but somehow not surprised they probably also have my IMEI and more.
Cyanogenmod ingonito activate!
I have long switched to the Web version of FB anyway. I could not stand the high RAM usage of the cr-app, even when idle (notifications off)…
Can we have firewall for our smartphones? firewall is more precious then a virus
facebook has my phone number, big deal. cry about it. what they gonna do. call me?