Mobile apps built with Facebook's SDK secretly shovel mountains of personal information into the Zuckermouth

It’s interesting that these weekly reveals about how shitawful Facebook really is do NOT appear to be coming from inside. Either their internal opsec is implausibly awesome, or the folks on the inside have quaffed of the koolaid, deeply and often.

3 Likes

holy shit that’s a long list :angry:

1 Like

Makes me want to install their apps just so that I can spoof their data.

I’m ovulating right now, in my for-sale house. Listen to my heart beat! Listen to it!

3 Likes

Are you seriously going to pull the No True Mandalorian fallacy?

I don’t know how you spend your nights, but Boba Fett is a clone of Jango Fett who is Mandalorian.

2 Likes

I might be the only developer with these issues - but the Facebook SDK is pretty dang opaque. On top of that they are changing policy all the time (especially following the 08/18 hacks). So it would be hard for me to blame the app developers who look for a feature, read the technical specifications and then implement. At no point during that process is data-privacy mentioned to the developer. If it is, Facebook can - by rights - change that policy overnight. I am moving away from using the SDK everywhere possible.

Don’t believe me - https://developers.facebook.com/policy/

Notice the part where developers must delete all stored user data, but two lines later states FB has full rights to any and all data and it is the developers duty to inform the user that FB is syphoning all their data (‘Give People Control’ clause 6 & 8)!!! #deletefacebookindeed

1 Like

I’m sorry, but if you’re a developer, you know exactly what custom events you’re sending to Facebook.

You have to specifically program them to fire when the user takes a certain action and then you USE FACEBOOK’S DEVELOPER CONSOLE to create the hook that receives that uniquely-named event.

Cory’s use of “secretly” in the post title is either sensational or naive. If you don’t create custom events, FB gets app opens and your ID, for everything else you have to know exactly what you’re giving them before they can receive it.

1 Like

I’d love it were this investigative stories to have listed all apps that shares data with Facebook instead of three as well has exactly how it’s done. Of course, because these are the times with live in, instead of counting on investigative journalists to, you know, go deep in that investigative journalist way, we’ll have to wait on Apple and maybe Google to do their thing. Till then, I dunno; three apps can be deleted and we’ll just stay in the dark about others.

2 Likes

Which is why I do not. But I see now that I drifted off the title/topic a tad by heading to the browser (and thus displaying my browser-centric orientation to interacting with the internet).

And, of course I use non-browser software that accesses the internet (e.g., Signal, VLC), but I am choosy about it, and pretty sure f#c#book ain’t in on my action.

You don’t use any non-browser applications on any kind of computing device? Lucky you.

ETA after clarification:

That’s the thing and the crux of @doctorow’s original post - it’s really hard to know for sure. Unless you build your own binaries and audit the source code you may be unwittingly sharing your data with FB. That’s why if you really care about privacy you need extra layers of blocking in the forms of things like VPNs and DNS blockers.

4 Likes

See edit. Also, not so much lucky as more thoughtful than reflexively auto-installing any app any corporation wants to shove down my metaphorical pants and going “Lolwut?!” when asked if I have considered the privacy concerns.

1 Like

Hey! In your referece to “Pi Hole” way above care to add a link? Pretty please?

1 Like

Certainly. My bad for assuming folks knew what I was talking about.

The tl;dr is: get a Raspberry Pi, install and configure the Pi-hole software on it (they have an “Easy Button” that does most of the hard work), use it as your DHCP server or configure your router to use it as your DNS server (that’s what I do). Enjoy.

At times you may find its blocking to be a tad overzealous, but it’s really easy to whitelist domains through its web interface.

4 Likes

Sleeping, apparently. So this is a nonissue, and I can sleep again.

Considering this from the perspective of those who are not developers will make it seem less so of either.

1 Like

Just wanted to say the image for the article as Zuckerberg as sarlacc is perfect. A bottomless pit for your personal data, where nothing escapes.

1 Like

I reported this almost 2 months ago here, with the original source and more technical details:

2 Likes

So you integrate a button and you earn an automatic law degree - awesome, I’ll try again.

I’m sorry, but if you’re a developer, you know exactly what custom events you’re sending to Facebook.

You’re confusing the data you record in your app with the data FB collects from your app. Can you point me to the dev policy that states that the SDK only records information specified by the developer via custom events?

If you don’t create custom events, FB gets app opens and your ID, for everything else you have to know exactly what you’re giving them before they can receive it.

That is patently untrue - you’re referring solely to automatic events - which also includes in-app purchase data FYI . You’re positing an advertising firm offers an entire SDK for free and the only information it receives in return is the number of times your app is opened? Your specific use case might only involve presenting certain custom events to FB (with disabled auto events), but FB’s legal policy and our mutual inability to read the entirety of FBs SDK code says otherwise.

Do we as developers (wait, you are the only developer here, apologies) require permissions for data acquisition by apps? Yes, but that in no way restricts them and the bundled SDK from obtaining further information on app users - read its dev policy. The question here is did these apps use events (and knowingly place data with Facebook - something they are culpable for) or did FB use the SDK to create data profiles beyond events.

Obtain adequate consent from people before using any Facebook technology that allows us to collect and process data about them, including for example, our SDKs and browser pixels…Facebook, may use cookies, web beacons, and other storage technologies to collect or receive information from your websites, apps and elsewhere on the internet and use that information to provide measurement services, target ads and as described in our Data Policy

That has nothing to do with events. Why would they mention the browser pixel - a technology who’s sole purpose is to gather analytics, next to the SDK in a legal paragraph regarding data elicitation? The policies you are bound by as a developer, are not FB’s terms of service nor its technical limitations. I don’t think it’s safe to confuse the two. But you’re right, the article needs to clarify if the companies where creating app events or not.

1 Like

Even facebook spying with its own VPN service, I read this news here: https://www.extremetech.com/incternet/281884-facebook-used-its-vpn-to-spy-on-other-companies-users.

I am not blaming VPN, Nowadays VPN become a need. but before selecting a VPN you must have look on their logging policy, Avoid VPN that based in the USA.

Ask a tricky question from their live support. Read unbaised vpn reviews etc.

I can only speak to my implementation, but I run the javascript version of the sdk inside react native (not the wrapped library built for RN), so there’s literally no way for it receive data other than what I wrap up into a payload and send to FB’s endpoint, of which the only mandatory param is the advertising id. So in my implementation FB is not getting in-app purchases or any auto-events other than those that can be ascribed from the timestamps when the SDK pings its endpoint with the ad id each time the app is opened.

I grant you that in native SDK implementations, automatically-collected data may be more expansive.

Ultimately though, ad ID (which embodies every conceivable data-point about you) plus app opens and location (which can be inferred from the IP address your phone uses to communicate with FB’s SDK even if location permission is off…) is sufficient to do 99.9% of the damage people are worried about. More importantly, these concerns are universal across apps and apply to every analytics platform. Information can also be enriched by combining the above with some inferred understanding of the purpose of the app based on its public profile (i.e. the app is a crisis messaging service therefore app opens tell you when an individual is in crisis). All of this stuff is more than enough to systemically deny people credit or jobs based on data that we would riot over if forced to physically hand to a banker or prospective boss.

My originally-intended point was that in no way can application-specific data, such as heart-rate or menstrual flow be obtained by the Facebook SDK without developers specifically and intentionally sending it there. FB’s SDK has no way to anticipate how structure a request for such data, unless it is processed in a persistent and prescribed manner by an OS-level API.

The application-specific stuff is what’s sexy in generating outrage, but data that every app gives up is more than enough to ruin your life if used maliciously.

2 Likes

The original article here:


points out that FB will also aggregate data from several applications and that builds a profile which is more detailed. The article gives an example:
an individual who has installed the following apps that we have tested, “Qibla Connect” (a Muslim prayer app), “Period Tracker Clue” (a period tracker), “Indeed” (a job search app), “My Talking Tom” (a children’s’ app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent.

Some apps appear to willfully share more data. Again from the cited article:
A prime example is the travel search and price comparison app “KAYAK”, which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).

Is there some list of apps that use the Facebook SDK (as opposed to some presumably less nefarious one)? (I tried searching but the results were about the SDK itself, not a list of apps built with it)

1 Like