Source: Electronic Products

Shoving an unneeded messenger app down the throat of your entire user base is a guaranteed way to upset people and leave them feeling disillusioned, asking questions like “why do I suddenly need this?” While there’s no indication that Facebook harbors malicious intent, the company is collecting enormous amounts of data about the users of its applications, states iOS forensics specialist and security researcher Jonathan Zdziarski. This should come as no surprise considering that most mobile apps run some sort of analytics on user behavior, although Facebook’s apps ─ according to Zdziarski – have more spyware type code in it than in products specifically intended for surveillance.

After reverse-engineering the Facebook Messenger’s iOS binary, Zdziarski discovered that the messenger app records everything a user does within the app, including but not limited to the words typed, the user’s location, the time spent in the Messenger app compared to how long it runs in the background, and even how often a device is held in portrait versus landscape orientation. Some of these parameters are trifling, but what alarmed Zdziarski most of all, was the presence of private APIs capable of pulling out one’s Wi-FI SSID (Service Set Identifier). SSID is another name for wireless local area network, meaning that Facebook Messenger is able to determine which wireless networks you connect too.

Zdziarski also uncovered several functions with cryptic names like “globalProviderMapData” and “isHeadPublisher” surrounded by a string issuing the following dire warning: [“DO_NOT_USE_OR_YOU_WILL_BE_FIRED”]. A short while later, hacker-turned-facebook-employee Grant Paul, tweeted that the string is an inside joke and that he was responsible for writing it. Joke or not, the notion of such a string remaining in the code following the software’s Q/A inspection is a bit odd to say the least.

Zdziarski tells Motherboard that “a couple hours of tinkering around isn’t going to provide any meaningful conclusions… but there is a lot of code that suggests Facebook is running analytics on nearly everything it possibly can monitor on your device.” In other words, take these findings with a grain-of-salt.

Recall that Facebook faced similar backlash just last month when its newly released Messenger app asked Android-users for permission to access their phone’s camera, microphone, text messages, and saved content. The company explained that these permissions “do not necessarily reflect the way the Messenger app and other apps use them,” but included such language as part of Android’s strict policy on permissions. By contrast, iPhone users are only prompted to grant permission on a per function basis as they are encountered during normal phone use. For example, if a user never attempts to make a Facebook Messenger voice-call, the app will never ask for permission to use the phone’s microphone.

The screenshots below demonstrate the permissions you “may or may not” be granting Facebook by installing its applications on an Android device. It may be argued that we’ve grown a bit paranoid amidst Edward Snowden’s massive NSA leak, yet in the realm of legal language, “not necessarily” leaves a lot of wiggle room for what can and cannot be done.

[caption id="attachment_1227" align="alignnone" width="560"]FB spy 1 (Left) Facebook Messenger as it appears on Google Play. (Right) Facebook Messenger app info on an Android OS.[/caption]

Pro tip: Facebook and its messaging service may be alternatively accessed through the browser on your smartphone and does not require the installation of any new application or software. If you must use its service, I recommend you do it there, but be wary of what you share.

Considering the company’s stance on cannibalizing all the content posted through its web service, it should come as no surprise if installing the Facebook and Facebook Messenger app also permits Facebook the right to possessive your information. A quick look at Facebook’s Statement of Rights and Responsibilities reveals the following:

“For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

Translation: Anything you post belongs to Facebook, including ideas. Facebook claims the IP license ends upon content deletion; however, the 2nd clause the Statement of Rights dictates that deleted content may not actually be getting deleted.

“When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).”