While it’s not clear just why the app would do this, or what purpose it has for doing so, the Facebook app for Android is taking your phone number the first time you open it up. Without even logging in, the app takes your number and stores it on the Facebook servers. You don’t need a Facebook account, or even initiate an action within the app. Simply having it and opening it will allow the app to take your phone number.
Norton discovered this security flaw during routine testing they perform on apps for their Mobile Insight security app. According to Norton, their testing methods are sound:
Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior. Further, Mobile Insight will tell you exactly what risky behavior an application will perform and give you specific, relevant, and actionable information.
Norton then reached out to Facebook, who claimed to be unaware of the issue. They told Norton they “did not use or process the phone numbers and have deleted them from their servers”, and said they had no knowledge of the issue. Norton also notes that Facebook is not the only app doing this, or even the worst offender. They promise more information on other culprits in coming weeks, but we’re still curious why Facebook would take numbers from a device that wasn’t even logged in. If I were to download the app, then open it to see what it looked like out of curiosity, my number would then be uploaded to the Facebook server.
We’re not ready to call Facebook nefarious on this account. Giving them the benefit of the doubt, even in the face of all their other security flaws, we’ll chalk this up to another error on their part. What this does do is bring into focus app permissions, and how important they are. Perhaps more importantly, how they can be abused by the app publisher, and ignored by users as fine-print.