[rodrodrod]

This has been a thing for about a month and a bit now. A Facebook engineer posted the following on Reddit[0], explaining the rationale behind the SMS permission:

> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).

[0] http://www.reddit.com/r/WTF/comments/1t5z45/facebook_why_the...

[ddeck]

The problem with this is that although it's likely true, there is no guarantee that what is done with that permission will not expand in the future.

e.g. Given the explanation that it's only for 2-factor authentication, I accept and install. When the next version is released (which does more with that permission), I see no new permissions required and install.

ericcumbee's suggestion of sending a URI makes much more sense to me. A per-request permissions model would likely need to include a "yes to all" checkbox, which would be checked in short order by the vast majority of users.

[furyg3]

I feel like some sort of manual component to two-factor authentication is the whole point (a clickable link, copy+paste, or remembering a 4 digit number).

Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.

It would be much more secure to just force a password login.

[nikolak]

>I feel like some sort of manual component to two-factor authentication is the whole point

It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)

>What exactly are we achieving here in terms of security?

Verifying that the phone is still using allowed SIM card/phone number.

If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.

If your phone is stolen you can do the same thing. The app password caching doesn't matter then.

It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.

[laug]

If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor.

For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.

[hueving]

We are achieving the same security guarantee as before, just without the user pain. All two factor provides in this case is proof that you have the phone associated with your account. Why does it matter if the app does the legwork for you?

[grey-area]

We are achieving the same security guarantee as before, just without the user pain.

I'd argue that a corporation other than the phone company being able to read all your text messages is significant pain.

Given that FB seems to want to take over all communication between users (contact list/blog/email/photos/messaging) FB being able to track and access anything you do is the inevitable endpoint of such aspirations, but many people are not comfortable with that, and the farther FB go down that road, the more people they'll alienate.

[cliveowen]

It's bullshit, I'm sure they have a similar motivation for retrieving running apps. When I bought my Nexus 5 I installed a game on it and was surprised to see on the desktop Facebook constantly asking me to like it. I didn't see it before and now it was there just after I had installed it, it wasn't a coincidence. Turns out the Facebook app has the permission to retrieve running apps, and this obviously happens whether you actually open the app or not, since it's always running in the background. This is fucking bullshit and I'm tired of companies always trying to peer into our lives.

[Cthulhu_]

The problem with many permission systems, such as this one, is that the developer of an app can't indicate to the user /why/ it needs a certain permission. Second, that the user cannot allow/disallow the permission at the time of installation, and that the app / app developer can then indicate, like in this case, that automatic two-factor authentication won't work. Which is fine.

tl;dr: Android's permission system does not allow for transparency from the developers. It makes the app developers look like douchebags going 'I WANT TO READ ALL YOUR TEXTS', instead of a 'I'd like to make things a little easier for you by automatically intercepting two-factor authentication texts'.

[jaxb]

You're proposing to solve a non-tech issue (trusting the app's developer) with tech -- what's to stop the developer to lie anyway?

[jokoon]

A better alternative would be to ask the user each time to check if the SMS was received, that would ensure some trust.

You can't just peek into the entirety of user's SMS and justify it's for the security of your users.

At least put an option to give users a choice and not force them to have their their SMS read in the name of innovation, or explain why you read them and that need just that one SMS.

[ericcumbee]

am I crazy or could they not just include a uri to the facebook app with the 2 factor auth token included as an argument?

[nl]

Yes of course. But this allows them to automate that process.

Typical tradeoff: It's a nice feature, but adding it requires permissions that are off-putting to some users. I'm not sure there is a good solution here.

[stakecounter]

The good solution is in Android's hands and is to allow on demand permission requests after the app is installed.

[nl]

I remember when Symbian did that. God it was awful!

But perhaps if it were implemented better it might make some sense.

[Maxious]

Android does on demand permission requests for premium SMS sending. now to just scale that to anything an app developer wants to make optional.

[mmagin]

This reminds me a lot of LinkedIn's clever scheme to MITM your IMAP traffic: http://blog.linkedin.com/2013/10/23/announcing-linkedin-intr...