Should I Install Facebook Messenger?
ABSTRACT: This blog post covers security concerns over Facebook Messenger but also covers security, technology and philosophy/policy.
This question – or something like it – has come up with clients and friends a LOT lately. Mostly due to Facebook separating functionality from their main app into two apps. The Facebook App (your timeline and stream of photos) and Messenger – an app focused on direct person(s) to person(s) chatting.
Articles have cropped out – most with an ominous tone of big brother watching you – due to “permissions” the application requests when it is installed.
Some of the permissions causing the most furor are:
- Ability to make phone calls on your behalf;
- Ability to turn on your camera and microphone;
- Ability to access your location;
- Ability to access your contacts;
Recently – and for the umpteenth time, this topic came up on Facebook. I left a short response that indicated that there was really nothing to be concerned about – that the permissions were part and parcel of all communication apps that work the same way – Skype – for instance.
Someone responded by saying, “Not all apps need those permissions.”
To which I replied.. “true.. only apps that are of a similar feature set used for person to person communication that might include audio, video, etc.”
Unconvinced, there was some back and forth – which prompted my response below.
Hmm… okay…. The topic covers both technology and philosophy/policy.
My company builds apps and consults on security. I’ve written on and spoken on both topics and I’ll claim a level of authority…. harumph!
* …steps up to the podium…. clears throat… *
First…. of course, do whatever you’re comfortable with. Every case of security, privacy, etc. is a balancing act of trust, credibility, functionality, etc.
The most secure computer is one that does not store any information, does not connect to the Internet, and does not turn on…. not functional but secure as hell.
In fact, the most secure information you have is that which you immediately forget…. again, it lacks functionality, but is secure….
As [omitted facebook users name] asks, “Why does he need the app?” He doesn’t. No one does. We use a free service that enables global communication – it’s fairly simple, it’s convenient, etc. BUT NO ONE IS REQUIRED TO USE ANY ONLINE APPS – by the app itself…. your job might require that. But that’s it outside the scope of this comment.
Understand something…. your phone has ALL the capabilities to do exactly what you are “worried” that Facebook Messenger (plus Skype and others do) can do.
If you have an iPhone – the IOS has all those permissions. If you have an Android – Android has all those permissions. Of course, that’s what the OS does. ie: It turns on the camera. It sends text messages. It makes calls…. YOU ARE NOT MAKING THOSE CALLS. When you touch your screen, it sends a command to the OS – which in turn – interacts with the hardware and does the action.
BUT YOU ARE NOT TURNING ON THE CAMERA. You are telling a program to turn on a camera. The OS turns on the camera, not you.
I realize that this may seem esoteric, but it matters for the conversation.
If you download a virus to your phone or computer, it has X permissions – allowing it to do nefarious things to your computer, phone, etc. Viruses send emails using the permissions it is granted, can turn on cameras, can do x, y, and z.
It is called a virus because it does so without your permission and when you have NOT requested it. That is the nature of a virus.
If a developer at Apple or Android (Google) was so inclined and could slip it past their QA, they could make your computer or phone do the same.
Let’s look at one permission related to Messenger – the scary “make phone calls” permission – but this applies to all the listed permissions.
If you set-up Messenger to do so, and someone on the other end using messenger allows this, their phone number is “connected” or accessible by the messenger app. From Messenger, you have the functionality to call that person.
IMPORTANT: You are in Messenger. For Messenger to initiate that call, IT (Messenger) MUST have the permission to speak to the OS – it must have the right to “make calls on your behalf.” This is absolutely a necessity for it to perform that function.
Apply the same logic to the video – ie: I want to video this person – the app (Messenger) MUST have the permission to initiate that video.
So.… that is why those permissions must be stated – it’s a legal and functional issue.
To repeat, your IOS (iPhone) and Android have the same permissions.
However, we “trust” Apple, or Android, or whomever is our app of choice for X or Y.
As there have been 0 (none, zilch, ZERO) cases of Facebook turning on someone’s video or secretly taping your audio, it is, from a security assessment standpoint, reasonable to believe they WILL NOT do so in the future.
If they, in fact, did…. it is unlikely they would survive. They are in the business of communication. Their money is not made in grabbing people’s information. They have NOT been in the past a “virus – but if you believe that they are – you SHOULD not be using them in a browser either.
Remember, as you walk around with your smartphone – especially if you use it for GPS, you are theoretically allowing Apple, Android, and your cell carrier to map your location. Also, they can turn on audio, make calls without your knowledge, and “steal” all sorts of information.
MUCH MORE EASILY THAN FB MESSENGER.
Again…. this is a silly conversation about a complete non-issue.
I am certain, however, NOTHING I can say will change the mind of the truly religious devotee of “Facebook is out to get me” religion. Sadly…. you, me, and our friends – are NOT that interesting.
And that black sedan outside your house really isn’t the FBI….