“Messenger knows when you are sleeping. It knows when you’re awake. It knows when you’re at home too, so delete it for goodness sake.”
This is what Jonathan Zdziarski, a forensic researcher and iOS jailbreaker, tweeted on Thursday after pouring over the code of Facebook Messenger app for iOS. Though he did not specify if it was true for the Android app or not, it is almost given that what the Facebook app does on iOS devices, it would also do on Android phones and tablets.
According to Zdziarski, he discovered a number strings-code that tells an app to carry out several functions-within the Messenger app that are targeted at tracking a user. “Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance,” he tweeted.
“Messenger performs analytics on everything – windows you view, everything you tap, icon badge number, application state, everything you do,” added Zdziarski.
As more and more people connect their lives to the world wide web through devices like tablets and smartphones, concerns have been raised about the privacy of individuals. Smartphones are packed with sensors like accelerometer and GPS that can measure location and physical activity of a user in real time. Apps can then use information collected from these sensors in various ways.
Both Google and Apple , which make Android and iOS, respectively, have created certain rules on how apps can access and use sensitive data collected from a phone but the whole ecosystem built around smartphones is so complex that serious privacy risks remain.
For example, Google and Apple approve an app before users can download it. But the security is lax and rules are rarely enforced.
In the case of Facebook, Zdziarski hinted that it was too big a company. “I am pretty sure though that if average developers used some of the APIs Facebook is using to collect data, their app would be rejected,” he tweeted.
This is not the first time, privacy concerns have been raised over a Facebook app. Last year Norton, which develops security software, flagged off the main Facebook app as a risk.
“Mobile Insight (a product created by Facebook) automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen,” a Norton researcher said in a blog post.