SECURITY WARNING: Facebook App copying text and call metadata from Android phones

Update 3-27-2018: Latest report is Facebook is stealing metadata but not content, but that alone means Facebook knows who and when you call and text if you have their app with default settings.

In the aftermath of the Cambridge Analytica scandal, TV news stations reported on March 26 that by default the Facebook app on Android sends text messages and phone call metadata to Facebook servers. The technology involved was called "scraping" by one computer expert, raising concerns that Facebook may be able to read even encrypted text messages right off the screen.

Recently, Google toughened the permission system on Android, so Facebook now has this antifeature as opt-in, under the name "Sync Your Call and Text History. " That can be turned off from within the app, and it has been reported that it does not work unless users give the Facebook app permission to access contacts. Of course, when it is disabled facebook tries to get users to enable it with a big blue button asking to enable it. It is not known if this data-stealing began when facebook began asking for permission, or whether Facebook has been doing this covertly when Android's permission system was weaker. The latter should be assumed, given Facebook's incredibly malicious history on any and all privacy issues.

When it comes to encrypted communications apps, WhatsApp (which is owned by Facebook) thus automatically becomes untrusted when the Facebook app is also installed. Facebook has shown they want your texts, and it is doubtful they would program WhatsApp to block themselves out. Update: at this time it appears Facebook was only after metadata, not content, but who knows in the future Signal, on the other hand, has no incentive to cooperate with Facebook. It is unknown at this writing if Facebook's "scraping" does in fact work by reading from the screen after decryption but should be presumed it does until proven otherwise. Signal by default blocks screenshots, but this is with operating system code, not robust kernel code that no app could bypass. Thus it is unknown to this author whether Signal succeeds in blocking the Facebook app from reading texts when Signal is set as the default SMS app, the Facebook app is also installed, the facebook app is allowed to access contacts, and "Sync Your Call and Text History" is enabled.

Best security practice is to assume the worst in all cases. Hopefully the authors of Signal will see these reports and test their app against the Facebook app with all malicious features deliberately enabled. Then they can either issue a statement that Signal is not affected, or update Signal to block Facebook and other malicious apps out, whichever is needed. As for Whatsapp, it should be considered unsafe and deleted. Install Signal, and if your Whatsapp contacts won't do the same, unencrypted SMS with them should be considered exactly as dangerous as continuing to use Whatsapp with facebook also installed.

HOW TO FIX THIS:EFF instructions on what setting to change in your Android phone to lock Facebook out of your call and text message metadata.

RELATED:The EF has published instructions on how to stop Facebook from accessing data used by other apps on your phone.

All rights reserved.