Facebook’s updated Android app requires permission to read your SMS and MMS messages. It would seem that this is needed to implement two-factor authentication on the device – in the words of one of their engineers, ‘so we can automatically intercept login approvals SMS messages for people that have turned two factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account’.
The logic is clear, but the key, it seems to me, lies in the word ‘automatically’. Surely the app doesn’t need to do this automatically. Facebook could simply prompt me to type in the code manually. Or, at the very least, provide this option. This may be a perfectly innocent feature but in the light of growing concerns about online privacy, such an option would help to allay people’s fears.
You can find a list of all the permissions required by the new Facebook app here: https://www.facebook.com/help/210676372433246.
Two-factor authentication provides an extra level of security, so it’s good to see Facebook providing this option. It’s up to you, of course, to decide if you’re happy to allow Facebook to read your messages. As a final note, we’d urge people to carefully check the permissions requested by any app when you first install it.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.