Facebook’s Android app tells them your phone number, without your knowledge or consent

Facebook on AndroidEarlier this week Symantec researchers stumbled across a privacy concern with Facebook’s official Android app which once again puts into question if the social network’s developers truly *get* security and privacy.

As Symantec describes on its blog, when its developers tested its new Norton Mobile Security product against some of the world’s most popular Android apps, they were disturbed to see a warning message claiming that the Facebook Android app leaks personal information without the device owner’s knowledge:

“The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.”

Following on from the revelation of an incredibly dangerous security flaw that could allow hackers to hijack any Facebook account just by sending an SMS message, and over six million users having their privacy breached, you have to wonder what is going on at Facebook.

Sign up to our free newsletter.
Security news, advice, and tips.

Are things really that sloppy there?

Norton Mobile SecurityThe good news is that Facebook confirmed Symantec’s findings, and has said it will fix the problem in the next version of its Android app. Furthermore, the social network says that it does not use or process the phone numbers it has been receiving, and has deleted them from its servers.

Well done to Symantec for uncovering this serious privacy flaw in Facebook’s code. That’s a great advert for the new version of the firm’s mobile security product.

Facebook might be wise to run tools like Symantec’s over future versions of its smartphone apps, before it pushes them out to millions of users – just in case there are other unexpected privacy holes that could prove embarrassing.

Hat-tip: The Next Web.

If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.