Downloaded my facebook data as a ZIP file
— Dylan McKay (@dylanmckaynz) March 21, 2018
Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD
The whole app permissions on smartphone is a complex blackbox. What an app on your phone can do and can’t – you just can’t draw a line between them.
Rough developers exploited the loophole on earlier iterations of Android. A typical endless runner game might upload your entire SMS history in background and you could not suspect anything.
Granular permission control made its way in Android under the hood of ‘App Ops’ in Android 4.3 Jelly Bean, albeit it was hidden from regular user UI. The modern runtime permission in Android, which we are familiar with, was introduced later with Android 6 Marshmallow.
Similar restrictions can be imposed manually by users with root access, but a native implementation makes it more feasible. The ‘App Ops’ feature still exists in Android, but without any graphical user interface.
Instead of that, Android offers install time permission requests on devices running 5.1.1 Lollipop (API level 22) or lower, or the app’s API level is 22 or lower on any Android version. For devices running Android 6.0 Marshmallow (API level 23) or higher and apps targeting the same API level, there is runtime permission selection after a user opens the app for the first time.
With all those precautionary methods, some fundamental sensitive informations can still be abused via call log and SMS related permissions. Google started a massive crackdown since October 2018 by hardening the Google Play Developer Policy to protect them.
Targeting app developers, a relevant article on Google’s Help Center states the following:
You should only access Call Log or SMS permissions when your app falls within permitted uses and only to enable your app’s core functionality.
Core functionality is defined as the main purpose of the app. It’s the feature most prominently documented and promoted in the app’s description; no other feature is more central to the app’s functionality.
If this feature isn’t provided, the app is “broken” or rendered unusable (i.e., app is deprived of its primary functionality and will not perform as a user would expect).
As a collateral damage, many useful apps such as automation tools or call recorders were affected. An entry was submitted in Google Issue Tracker for whitelisting those apps.
Google later updated their exception list, and it did whitelist some of those apps.
On the other hand, the crackdown (not a part of Project Strobe, but somehow related) actually forces spooky apps to stop collecting sensitive personal data. Facebook, one of the biggest player in this data collection game, seems to be affected as well.
In 2018’s March, several incidents (example: here, here) revealed that Facebook was collecting call logs and text messages from Android phones without user consent.
Facebook did provide official statements (example: here, here) against those allegations.
This specific feature allows people to opt in to giving Facebook access to their call and text messaging logs in Facebook Lite and Messenger on Android devices. We use this information to do things like make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite.
Now, a quick look inside latest alpha builds of Facebook and Facebook Messenger Android apps confirms that the apps no longer ask for SMS and call log access, respectively.
We have compared the list of permissions declared in the app manifests and differentiated against older stable or beta builds (thanks APKMirror for hosting them). Facebook (package name: com.facebook.katana) has dropped the ‘READ_SMS‘ permission while Facebook Messenger (package name: com.facebook.orca) has dropped ‘READ_CALL_LOG‘.
Facebook pushes numerous builds via various closed and open release channels, thus pinpointing the exact version and time period for the change is difficult. Jane Manchun Wong AKA @wongmjane, a famous reverse engineer, hinted about the changes during the past week.
Facebook Messenger for Android no longer collects call log
— Jane Manchun Wong (@wongmjane) February 13, 2019
The app no longer contains the code that touches call logs, hence no longer asks for such permission
Facebook for Android no longer collects text messages
— Jane Manchun Wong (@wongmjane) February 14, 2019
The app no longer contains the code that touches SMS, hence no longer asks for such permission
While we have not fiddled with a bunch of SMALI snippets, the absence of permissions should be safe to assume that the relevant internal codes don’t exist anymore.
Looks like even Facebook was affected by Google's crackdown on Call Log and SMS permissions.
— Mishaal Rahman (@MishaalRahman) February 14, 2019
Well, that’s a start!
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.