This document is an attempt to debunk all of those "Facebook Messenger is evil!" messages that are cluttering up my news feed. There's several versions of it, but this document is using this one for separating each claim: http://threepercenternation.com/2014/08/facebook-crosses-the-line-with-messenger-app/
Please let me know if I missed something or got something wrong - and if you're interested in working on an Android/Windows Phone version of this then that would be swell too!
Call phone numbers and send SMS messages – This means that if Facebook wants to…it can send text messages to your contacts on your behalf.
Developers can create a link that contains a phone number (tel:// URL Scheme), but the user will always be prompted with a "Call" action button - no phone call can automatically be triggered.
Update: 08/21/14 - someone has discovered that due to the way the tel protocol is defined and implemented, it could be possible to bypass the "Call" action button. Whoops - I imagine this will soon be fixed in an update. Source: http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
Same for SMS messages. Those are sent with a class called MFMessageComposeViewController, and it doesn't expose any methods for automatically sending messages - they always have to be confirmed by the user. Now, it's possible to set up a third-party SMS gateway and programmatically send messages that way, but they wouldn't appear as coming from your phone number - they would only appear as coming from whatever number the gateway was assigned.
Record audio, and take pictures and videos, at any time – Read that line again….RECORD audio…TAKE pictures….AT ANY TIME!!
Do you get it yet? No? Then read it again!! READ!!! IT!!! AGAIN!!!
Let's take this down one piece at a time
First, you'll be prompted with an alert like this:
If you say yes, then it is true that the app can turn on your microphone at any time. If the microphone is turned on and not recording video AND in the background, your app will look like this:
If the microphone is turned on and not recording video AND in the foreground, then it could be recording audio.
If you're really paranoid about it, just don't grant that microphone permission and give up sending videos through Messenger.
Apps can't record video without showing the video that's being recorded on screen. You also can't record video in the background - the app has to remain open during the recording, which means that you'll know if video recording is happening. NOTE: Video recording requires access to the microphone too - that's where the soundtrack for the video comes from.
This is the first one that's sort of possible. You can take a picture with an iOS app without the preview or camera controls showing up - although it requires some UI trickery, so you'd have to have a certain kind of app screen to pull it off. So, technically Facebook Messenger could take and upload a bunch of pictures without you knowing it - but so could every single other iOS app :) Sleep tight.
I'm also not sure if an app that did hide picture-taking would get approved by Apple and make it into the store, and it seems like if someone did sneak it through, it wouldn't be a huge target like Facebook.
Read your phone’s call log, including info about incoming and outgoing calls
Nope. Not possible.
Read your contact data, including who you call and email and how often
This one needs to be broken up too.
When the app first opens, you can grant it access to your contact list. Apps do this as a convenience so you don't have to re-enter all of your contacts for each app. They are supposed to not store any of the contact data they retrieve from your phone, but there's not really a good way of checking this. Bottom line, any app that asks "We would like to access your contacts" and you say yes, then it can access your contacts whenever it needs to.
Which brings us to the second part of that claim:
Nope.
Read personal profile information stored on your device – This means that if you have addresses, personal info, pictures or anything else that’s near and dear to your personal life…they can read it.
If you have addresses in your contact list, and you grant permission for the app to read your contacts, then it can read those addresses
Not sure what this means. You already have a Facebook account, right? They have your personal information.
This goes back to the camera/photos permissions from a few claims ago. If you grant the app to be able to take and upload photos, then it will have access to your photos - but only the ones you specifically tell it to use. The app can't just read all of your photos any time it wants.
Get a list of accounts known by the phone, or other apps you use
Not sure what this means. Apps can't talk to each other right now on iOS, so Facebook's app can't talk to Mail and find out if you have a Gmail account (for example). There are certain system-level iOS accounts that an app might be able to check on, but they can't really do anything with that info other than say "hey, you have an iCloud account, good job!"