WingNews logo WingNews
top | item 7135359

(no title)

rodrodrod | 12 years ago

This has been a thing for about a month and a bit now. A Facebook engineer posted the following on Reddit[0], explaining the rationale behind the SMS permission:

> As for the READ_SMS permission, we require that so we can automatically intercept login approvals SMS messages for people that have turned 2-factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account. Unfortunately, the Androids permissions system does not allow us to specify that we would like to be able to read only SMS messages from a specific number (plus that wouldn't scale well because the list of numbers varies per country, but that's a separate issue).

[0] http://www.reddit.com/r/WTF/comments/1t5z45/facebook_why_the...

discuss

order

ddeck|12 years ago

The problem with this is that although it's likely true, there is no guarantee that what is done with that permission will not expand in the future.

e.g. Given the explanation that it's only for 2-factor authentication, I accept and install. When the next version is released (which does more with that permission), I see no new permissions required and install.

ericcumbee's suggestion of sending a URI makes much more sense to me. A per-request permissions model would likely need to include a "yes to all" checkbox, which would be checked in short order by the vast majority of users.

furyg3|12 years ago

I feel like some sort of manual component to two-factor authentication is the whole point (a clickable link, copy+paste, or remembering a 4 digit number).

Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.

It would be much more secure to just force a password login.

nikolak|12 years ago

>I feel like some sort of manual component to two-factor authentication is the whole point

It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)

>What exactly are we achieving here in terms of security?

Verifying that the phone is still using allowed SIM card/phone number.

If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.

If your phone is stolen you can do the same thing. The app password caching doesn't matter then.

It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.

laug|12 years ago

If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor.

For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.

hueving|12 years ago

We are achieving the same security guarantee as before, just without the user pain. All two factor provides in this case is proof that you have the phone associated with your account. Why does it matter if the app does the legwork for you?

cliveowen|12 years ago

It's bullshit, I'm sure they have a similar motivation for retrieving running apps. When I bought my Nexus 5 I installed a game on it and was surprised to see on the desktop Facebook constantly asking me to like it. I didn't see it before and now it was there just after I had installed it, it wasn't a coincidence. Turns out the Facebook app has the permission to retrieve running apps, and this obviously happens whether you actually open the app or not, since it's always running in the background. This is fucking bullshit and I'm tired of companies always trying to peer into our lives.

Cthulhu_|12 years ago

The problem with many permission systems, such as this one, is that the developer of an app can't indicate to the user /why/ it needs a certain permission. Second, that the user cannot allow/disallow the permission at the time of installation, and that the app / app developer can then indicate, like in this case, that automatic two-factor authentication won't work. Which is fine.

tl;dr: Android's permission system does not allow for transparency from the developers. It makes the app developers look like douchebags going 'I WANT TO READ ALL YOUR TEXTS', instead of a 'I'd like to make things a little easier for you by automatically intercepting two-factor authentication texts'.

jaxb|12 years ago

You're proposing to solve a non-tech issue (trusting the app's developer) with tech -- what's to stop the developer to lie anyway?

jokoon|12 years ago

A better alternative would be to ask the user each time to check if the SMS was received, that would ensure some trust.

You can't just peek into the entirety of user's SMS and justify it's for the security of your users.

At least put an option to give users a choice and not force them to have their their SMS read in the name of innovation, or explain why you read them and that need just that one SMS.

ericcumbee|12 years ago

am I crazy or could they not just include a uri to the facebook app with the 2 factor auth token included as an argument?

nl|12 years ago

Yes of course. But this allows them to automate that process.

Typical tradeoff: It's a nice feature, but adding it requires permissions that are off-putting to some users. I'm not sure there is a good solution here.