THE BLOG
08/15/2014 04:58 EDT | Updated 10/15/2014 05:59 EDT

Facebook Messenger Permissions Come Down To Trust

The risk is, we don't know when Facebook, or any app, actually uses these permissions, and I don't think we want to find out after-the-fact that it's been recording me since I installed it, just to sell to advertisers. So until Google improves the Android architecture by allowing us more control over what permissions an app can access at any given time, it comes down to trust.

Getty

There's no shortage of misinformation regarding the latest Facebook changes, so I hope to explain the threats and risks so you can make an educated decision on how to proceed. I'll focus on Google Android phones, but the same underlying principles apply to other phones with a software development kit (SDK).

When developing an application for a mobile phone, you have to decide what permissions that application will require. There are often hundreds of permissions to choose from.

A lazy programmer will often just include all, or more than they need, as it's easier than spending the time to only request access to the specific permissions you need, and it's demonstrable that most users install applications without looking at what permissions they are granting any given application.

For example, if my app might need your location at some point, I need to choose to request ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION depending on the needs of my application. It doesn't mean my application will ever even use that permission, it just needs you as the user to have accepted that I can use it, when I want to. In truth, you'll never know when an app uses a given permission under the current architecture.

If you're curious, you can always look at the app's page in the Google Play store to see what permissions it requests. For example, under the Facebook suite of apps we can take a look at the popular Messenger app that allegedly Facebook is about to force its users to use.

First, click on Facebook Messenger and then scroll way down to Permissions and click View Details. You should now see a long list of all of the permissions Facebook messenger requires you to authorize, in order to use this app.

Another alternative, which requires no permissions, is the F-Secure App Permissions app. It will show you the permissions you've granted every application on your Android phone. Let's take a look at the Facebook Messenger permissions, assuming you have this app installed.

A quick look at these permissions reveals it can indeed access your entire address book, send SMS messages, record photos or videos using your camera, know your location at all times, access the Internet when it wants, and a slew of other pretty creeptastic things. Do I think they will do all of these things? No. A lot of them are needed, for example if you want to take a photo or video with the app, you needs to have allowed the "android.permission.CAMERA" permission.

The risk is, we don't know when Facebook, or any app, actually uses these permissions, and I don't think we want to find out after-the-fact that it's been recording me since I installed it, just to sell to advertisers. So until Google improves the Android architecture by allowing us more control over what permissions an app can access at any given time, it comes down to trust.

Must of us don't feel good about being forced to use an app, and I believe that to be the biggest issue in the current case of Messenger, as it leaves a sour taste in our mouths.

There is no shortage of secure, open source messaging solutions to consider depending on your device and needs. For example, check out Text Secure if you're on Android. The other big difference with it, versus Messenger, is you can read all of the source code for the application, so you can see what it's actually doing. You don't have to trust that the company isn't doing anything malicious with the permissions you've given them.

A few other open source messaging solutions that use encryption worth checking out are Bitmessage (OSX and Windows), and Tox.im (OSX, Windows and GNU/Linux), although the most popular currently is Pidgin with OTR.

But at the end of the day, as Bruce Schneier said years ago, "Don't make the mistake of thinking you're Facebook's customer, you're not -- you're the product," Schneier said. "Its customers are the advertisers."

ALSO ON HUFFPOST:

Photo gallery Embarrassing Parents On Facebook See Gallery