Thanks to Jagadeesh Chandraiah of SophosLabs for his help with this article.
Facebook popped up in a slew of new cybersecurity conspiracy theories over the weekend.
Apparently, the company’s Android app suddenly started grabbing superuser rights – also known as “root access” in the Linux world. (Android is based on the Linux operating system.)
Apps with root access can pretty much do anything, rather like users with Administrator powers on Windows.
Notably, root-level apps can fiddle with protected system settings, spy on other apps as they run, peek at data from other apps, and more.
So the news that Facebook was “getting root” quickly caused alarm, given the privacy crises in which the company has been embroiled lately.
The obvious questions were: HOW was Facebook able to get root in the first place, WHY did it need root anyway, WHAT on earth has it been doing with this unwarranted privilege, and WHAT possible excuse will it come up with this time?
Those are all dramatic questions when asked LOUDLY with capital letters, but the answers, fortunately, seem to be fairly mundane, and nowhere near as scary as you might at first think.
Simply put, apps can’t get superuser power on Android just because they want it.
Generally speaking, you have to root your Android device first, which requires physical access to the device in order to install modified versions of the phone firmware. (Firmware refers the operating system images that load when you turn on the device.)
Why root a device? In a paper at the CARO 2017 conference, SophosLabs researcher Jagadeesh Chandriah lists four common reasons: to customise the look and feel of the phone’s interface; to remove unwanted preinstalled apps (what’s often called as bloatware); to install otherwise unspported apps such as firewalls and network tethering tools; or simply for research purposes.
After rooting their devices, most phone rooters then install a superuser management tool that pops up when apps try to acquire superuser powers, and asks for approval.
Popular superuser access control tools include SuperSU, originally created by an Android researcher who goes by the name Chainfire (this one is mainstream enough to be available from Google Play) and Magisk.
Here’s the Magisk tool popping up on a rooted device to warn about Facebook’s bid to get superuser powers:
@facebook asking for root permission? 🤦‍♂️Time to dive into that APK! pic.twitter.com/1WdL5E2DdR
— Nikolaos Chrysaidos (@virqdroid) May 18, 2018
If you haven’t rooted your device, you won’t have a superuser access control tool, so you’ll never see a warning dialog like the above – but on an unrooted device, there won’t be any root-level activity to warn you about anyway.
The app will therefore work and behave as usual on unrooted devices.
On rooted phones, the app seems to behave the same whether you chose to deny or grant root privileges.
In other words, the superuser warning only appears if you’ve already set up your phone to permit superuser access with suitable consent, and the app won’t cause any harm even if you do grant it root powers.
Facebook’s app doesn’t try to use any tricks or vulnerabilities to get root on an unpatched phone (and therefore can’t do so without your consent), making the question of “How?” essentially redundant.
What about “Why?”
However, even without a conspiracy theory for “How?”, there isn’t an obvious answer for “Why?”
Was this another Facebook privacy overreach that somehow escaped from the laboratory and got found out?
Was it an attempt to detect and ban users with rooted Android devices from accessing Facebook at all?
Or was it just a new feature that attempted root detection (many apps, including Sophos Mobile Security, do this for security and safety reasons), and, while doing so, triggered a “get root” warning, too?
Android researcher Nikolaos Chrysaidos (@virqdroid) suggested on Twitter that the most likely culprit might be a service called WhiteOps that Facebook apparently integrated recently to help it look out for dodgy postings connected with fake news sites:
Along with other various checks. Facebook is probably integrating WhiteOps SDK and they forgot to re-implement the ROOT checking functionality. pic.twitter.com/NUDwQEkBFN
— Nikolaos Chrysaidos (@virqdroid) May 18, 2018
Perhaps various unneeded security features in the WhiteOps toolkit, or some other newly included module in the Facebook app, caused the unexpected warning?
Judging by Facebook’s response, that sounds likely:
A coding error in one of our anti-fraud systems caused a small number of people […] to see a request for additional access permissions. We do not need or want these permissions, and we have already fixed this issue. We apologize for any confusion.
What do do?
Make sure your Facebook app is up-to-date.
As we mentioned above, Facebook already reissued the “root grabbing” flavour of the app, so an update will sidestep this issue entirely.
To check your apps, open Google Play, tap the hamburger button (the three horizontal lines at top left) to open the menu and choose My apps & games.
That’s it.
igles
another good reason why facebook should be uninstalled from your phone
Bill
So let me get this straight. Questioning why something happened and not believing the word of a company known for gross invasion of privacy makes you a conspiracy theorist?
Paul Ducklin
Depends whether you ignore the answers to the questions in order to end up with the result you want.
If Facebook really wanted to sneak phone-rooting malware into its Android app, it simply wouldn’t do it like this.
(Unless this was, in fact, a subtle decoy to distract you later on :-)
After all, if you’re convinced that Facebook is up to no good and feel an obligation to catch the company out…
…there’s no point in wasting your investigative effort on cases that will go nowhere.
s31064
“After all, if you’re convinced that Facebook is up to no good and feel an obligation to catch the company out…”
…then why even have a Facebook account???
Tom
Including Google, many other well know companies collect our device data and use it for profit making purposes. Use Ghostery, and look at the amount crappy scripts(tracking, datacollection to name a few) which run in background of legit websites. We are stuck in this trap. If you really want to leak less data then use adblocker, ghostery, privacy browser and use apps directly in browser.
Scott Johnson
Facebook apps are always in the top 10 for battery draining apps. I don’t use any of their garbage apps. A phone browser works fairly well if you don’t need your phone buzzing notifications all day long.
Paul Ducklin
Of course, if you are looking for an app that keeps track of things online in the background so it can “buzz you with notifications all day long”, then you might reasonably expect that app to use a fair bit of battery. (Try browsing the web on your phone for an hour and see how much battery that uses.)
Whether high battery usage makes an app “garbage” depends on how much you’re inviting it to do. If you don’t need an app buzzing notifications all day long, try shutting the app and only running it when you really need it.
(FWIW, on my phone, Safari is at #1 with 48% of battery usage; Twitter is second at 17% and then it’s a race to statistical insignifance, with my calculator coming up at #10 with 2%. Facebook isn’t even on the list.)
Jorge R. Mobilbatt
At first everything was looking great. Now at work the battery doesn’t seem to hold the charge for very long on the standby time. Just checking for messages. In ten minutes I will lose 10% of the battery life. I followed the instructions that came with it. Just not living up to the positive reviews I read on it.
I hope this helps.
Jorge R. Mobilbatt