Hacker News new | ask | show | jobs
by andymcsherry 4740 days ago
This is pretty standard in Android apps for analytics tracking to use the phone number, IMEI or other values. A while back, a few production phones shipped where Settings.Secure.ANDROID_ID returned invalid values (null, the same value for all devices of that model, etc). This is the reason that most apps you come across ask for the READ_PHONE_STATE permission.
3 comments
Livven 4740 days ago
Thanks for mentioning this. It's always annoying when stuff like this is taken out of context and reinterpreted by people who don't have intimate knowledge about the topic, resulting in the kind of useless knee-jerk reactions seen in this comment thread.

If you told the average web-using person that whenever they visit google.com Google gets to know which internet provider you use and from which country, possibly even city you come from and which language you speak, they'd probably freak out thinking it was some evil Google scheme to mine data when in fact, all that is simply a byproduct of any reasonable logging or analytics solution that is not special to Google at all.

link
pbsdp 4739 days ago
> ... they'd probably freak out thinking it was some evil Google scheme to mine data when in fact, all that is simply a byproduct of any reasonable logging or analytics solution that is not special to Google at all.

If that's true -- that an objective reasonable observer would think those things -- perhaps that's indicative of analytics being of questionable ethical standing.

After all, they enable the massive centralization of extremely far reaching user data, voluntarily submitted by both applications and websites to centralized data brokers -- such as Google -- who are not only positioned to build enormous commercial profiles of users, but also to (be compelled to) give or sell those profiles to government(s).

link
barista 4739 days ago
Well what it also means is that its not just Facebook who does it. Many other apps you have installed are probably doing this as well without you knowing about it.
link
Steko 4740 days ago
Everyone is focusing on FB but the bigger problem is that any app can probably take your phone number without permission. Paging Al Franken.
link
andymcsherry 4740 days ago
Actually, when you install an application you accept the READ_PHONE_STATE permission. So you're explicitly giving them permission to take your phone number. This doesn't really apply to pre-installed applications, but there's really no argument that they're doing it without your consent if you download the application from the Play Store.
link
MichaelGG 4740 days ago
Actually, most of the time it's explained as being needed to determine if the phone is in a call. Which sounds perfectly fine - I'd like music to stop or games to pause on incoming calls.

The fact that "phone state" is mixed up with Phone Unique ID is terrible.

link
akaBruce 4740 days ago
Well, not only if your phone is in a call, but also your phone number, device id and the number of the person you're connected to.

Read phone status and identity: Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

https://play.google.com/store/apps/details?id=com.facebook.k...

And don't worry if your friend has the Facebook app and calls you if you don't have a profile. They can just search through your friend's contacts to associate your number with a shadow profile of you anyway.

link
lawnchair_larry 4740 days ago
There is an argument, because normal people don't know what the hell a READ_PHONE_STATE is.
link
andymcsherry 4740 days ago
The description is PHONE CALLS READ PHONE STATUS AND IDENTITY Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
link
interpol_p 4739 days ago
I am sure that most users will not even read/understand that description.

If the user puts some effort into parsing it, they will understand it and what it means for their privacy. But most people will not put that much effort into installing an app.

Despite being perfectly clear to you and I, it is wrong to ask for these permissions at install time.

Imagine if every time you visited a web site you were given a list of 5 - 10 permissions requested by the website before you could visit.

link
Heliosmaster 4739 days ago
Sorry, but if people can't read and understand that description, I am not so sure they should be using a smartphone.
link
wutbrodo 4740 days ago
I'm pretty sure it doesn't literally show them "READ_PHONE_STATE" and other permissions in enum form. There' s a heading and a description of what each permission entails.
link
aguynamedrich 4740 days ago
That doesn't give you the phone number though, nor does it excuse them using the phone number (as I'm inferring from the wording in the article). TelephonyManager.getDeviceId() returns the IMEI/MEID/ESN, not the phone number. When most developers require READ_PHONE_STATE for a unique id, this is what they use.
link
andymcsherry 4740 days ago
TelephonyManager.getDeviceId() has it's own set of issues. See: http://android-developers.blogspot.com/2011/03/identifying-a...
link