Monday, July 1, 2013

Facebook Android app caught harvesting users contacts

Facebook, the top-ranking free app in Google Play, has taken advantage of Android's weak platform security to collect users phone numbers as soon as the app is installed, highlighting core differences in apple's approach to protecting users' privacy and those of social-advertising firms like Facebook and Google.

The news of Facebook's latest "leak" was outed by Symantec after it analyzed various Android apps using its Norton Mobile Insight tool designed to "discover malicious applications, privacy risks, and potentially intrusive behavior."

Symantec didn't need to dig deep into Google Play to find pay dirt, but its researchers still noted that it "even surprised us when we reviewed the most popular applications exhibiting privacy leaks."

The firm stated, "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."

Just one week ago, Facebook users found that it was possible to download private information from people who had "some connection to them," even when that data had not been intentionally shared with Facebook. That illuminated the company's efforts to secretly collect all kinds of data in its social graph to improve its advertising and friend recommendations, beyond the details intentionally shared by members.

Because the various versions of Android have no coherent security policy regarding the sharing of personal data without the user's permission, Facebook's "automatic sharing" in its Android app affects everyone, even iOS users with Android friends.

Symantec said it "reached out" to Facebook, which it said "investigated the issue and will provide a fix in their next Facebook for Android release." Facebook denied that it was collecting the data for actual use and stated that it had deleted the information from its servers.

"Unfortunately, the Facebook application is not the only application leaking private data or even the worst," Symantec noted. "We will continue to post information about risky applications to this blog in the upcoming weeks." In the mean time, the firm recommends that Android users download its tool to see which Android apps are "leaking" private information. 

Source: AppleInsider