There have been numerous cases of apps getting hold of sensitive personal information of a user through their phone(s) without the user having even the slightest inkling of it.
The app permissions on a smartphone, especially in earlier versions of Android, are a complex feature, and there seems to be no way of ensuring that a particular app does not get hold of private data. Even with precautionary measures by users and OS alike, abuse of fundamental sensitive information can take place through call logs and SMS-related permissions.
To protect such sensitive data, Google has updated its Google Play Developer Policy and has started a massive clampdown known as Project Strobe since October 2018.
Several incidents that occurred last March point to Facebook having had abused this call log and SMS-related permissions through which it had collected call and text data of users without their permission. Of course, Facebook responded by denying its participation in such activities by providing an official statement that states,
This specific feature allows people to opt in to giving Facebook access to their call and text messaging logs in Facebook Lite and Messenger on Android devices. We use this information to do things like make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite.
The latest alpha builds of Facebook and Facebook Messenger Android apps apparently suggest that these apps no longer ask for SMS and call log access, respectively. Facebook (package name: com.facebook.katana) seems to have discarded the READ_SMS permission and Facebook Messenger (package name: com.facebook.orca) the READ_CALL_LOG.
This change was hinted by reverse engineer Jane Manchun Wong (@wongmjane) on February 14, when she posted:
“Facebook for Android no longer collects text messages. The app no longer contains the code that touches SMS, hence no longer asks for such permission.”
An article on Google’s Help Center, targeting app developers, states the following:
You should only access Call Log or SMS permissions when your app falls within permitted uses and only to enable your app’s core functionality.
Core functionality is defined as the main purpose of the app. It’s the feature most prominently documented and promoted in the app’s description; no other feature is more central to the app’s functionality.
If this feature isn’t provided, the app is “broken” or rendered unusable (i.e., app is deprived of its primary functionality and will not perform as a user would expect).
While it affected apps like call recorders and automation tools, some of them were whitelisted by Google. Overall, Google aims to constrict the attainment of sensitive personal data by apps.
