Why You Don’t Need to Fear App Permissions

Lately if you are on any social media platform you are probably being bombarded by people posting videos and status updates about how the new Facebook Messenger app is tapping their phone and how this is the worst thing to ever happen. This is largely the fault of the Huffington Post.

How much access to your (and your friends’) personal data are you prepared to share for access to free mobile apps? I suspect the amount is significantly less than that which you actually agreed to share when blindly accepting the Terms of Service.

Case in point: Facebook’s Messenger App, which boasts over 1,000,000,000 downloads, requires the acceptance of an alarming amount of personal data and, even more startling, direct control over your mobile device. I’m willing to bet that few, if any, of those who downloaded this app read the full Terms of Service before accepting them and downloading the app.

This sounds really scary, but I assume that just like every other fear monger out there they don’t actually understand App permissions.


What Permissions Does Facebook Want?

Before we even look at what permissions the app wants we need to understand what the app is. The app everybody is scared of is Facebook Messenger. This is obviously Facebook’s solution to Google’s Hangouts app which is largely a messaging app with some other features built in. if you are using a new Android phone there is a chance Hangouts is your default SMS app. When you install Facebook Messenger you are prompted with a pop up asking if you give the app permissions (The one you never read, you just press OK). If you pay attention you will see that the app needs access to several things:

In-app purchases
An app can ask you to make purchases inside the app.

Device & app history
An app can use one or more of the following:

  • Read sensitive log data
  • Retrieve system internal state
  • Read your web bookmarks and history
  • Retrieve running apps

Cellular data settings
An app can use settings that control your mobile data connection and potentially the data you receive.

An app can use your account and/or profile information on your device.

Identity access may include the ability to:

  • Find accounts on the device
  • Read your own contact card (example: name and contact information)
  • Modify your own contact card
  • Add or remove accounts

An app can use your device’s contacts and/or calendar information.

Contacts and calendar access may include the ability to:

  • Read your contacts
  • Modify your contacts
  • Read calendar events plus confidential information
  • Add or modify calendar events and send email to guests without owners’ knowledge

An app can use your device’s location.

Location access may include:

  • Approximate location (network-based)
  • Precise location (GPS and network-based)
  • Access extra location provider commands
  • GPS access

An app can use your device’s text messaging (SMS) and/or multimedia media messaging service (MMS). This group may include the ability to use text, picture, or video messages.

Note: Depending on your plan, you may be charged by your carrier for text or multimedia messages. SMS access may include the ability to:

  • Receive text messages (SMS)
  • Read your text messages (SMS or MMS)
  • Receive text messages (MMS, like a picture or video message)
  • Edit your text messages (SMS or MMS)
  • Send SMS messages; this may cost you money
  • Receive text messages (WAP)

An app can use your phone and/or its call history.

Note: Depending on your plan, you may be charged by your carrier for phone calls.

Phone access may include the ability to:

  • Directly call phone numbers; this may cost you money
  • Write call log (example: call history)
  • Read call log
  • Reroute outgoing calls
  • Modify phone state
  • Make calls without your intervention

An app can use files or data stored on your device.

Photos/Media/Files access may include the ability to:

  • Read the contents of your USB storage (example: SD card)
  • Modify or delete the contents of your USB storage
  • Format external storage
  • Mount or unmount external storage

An app can use your device’s camera and/or microphone.

Camera and microphone access may include the ability to:

  • Take pictures and videos
  • Record audio
  • Record video

Wi-Fi connection information
An app can access your device’s Wi-Fi connection information, like if Wi-Fi is turned on and the name(s) of connected devices.

Wi-Fi connection information access may include the ability to:

  • View Wi-Fi connections

Device ID & call information
An app can access your device ID(s), phone number, whether you’re on the phone, and the number connected by a call.

Device ID & call information may include the ability to:

  • Read phone status and identity

An app can use custom settings provided by your device manufacturer or application-specific permissions.

Note: If an app adds a permission that is in the “Other” group, you’ll always be asked to review the change before downloading an update.

Other access may include the ability to:

  • Read your social stream (on some social networks
  • Write to your social stream (on some social networks)
  • Access subscribed feeds

When you review individual permissions, all permissions, including those not displayed in the permissions screen, will be shown in the “Other” group

This is more information than you probably need to know about each of these features. When you are developing your app (in this case Android) depending on the platform you need to ask permission to use certain phone APIs (Application Programmer Interface), This means that before you can write code to interface with the camera on an Android device you need to actually add a line of code to the manifest file which prompts the user to say you can.


Why Does Facebook Need These Permissions?

This is where things start to make sense. The Facebook Messenger app wants to compete with the default SMS App on your Android phone. In order to do so you need to give it permission to actually send and receive your SMS messages. This doesn’t mean that the app is going to steal all your information, it means if you are going to use it for your SMS you need to let it do that. Android Central did a really good job of summarizing the permissions and why it needs them.

Phone calls

  • Directly call phone numbers. This one’s followed by a yellow “This may cost you money” warning, and a little image of coins, again indicating that it could, potentially, cost you money.
  • Read phone status and identity.

Why these permissions: Because Facebook messenger can call people. Or, rather, it can initiate a call. If someone has given Facebook their phone number, you’ll be able to call them through this app. At the same time, the app has the ability to see what your phone number is.


  • Edit your text messages (SMS or MMS)
  • Read your text messages (SMS or MMS)
  • Receive text messages (MMS)
  • Receive text messages (SMS)
  • Send SMS messages (This may cost you money)

Why these permissions: Facebook Messenger uses an SMS to confirm your phone number when you decide to give it to Facebook. Note how that works in conjunction with the “read phone identity” permission above. Facebook Messenger also allows you to send a text message or MMS to someone who isn’t yet on Messenger. (You have to give it access to your contacts, though, for that to work.)


  • Take pictures and videos

Why this permission: Facebook Messenger can use the camera to … wait for it … take a picture or shoot video.


  • Record audio

Why this permission: Facebook Messenger can use your microphone to … wait for it … record a message to send to a friend. Or make phone calls.


  • Approximate location (network-based)
  • Precise location (GPS and network-based)

Why these permissions: Because Facebook Messenger, just just about every other social network, uses location for all sorts of things. And there’s more than one way to get location on a device.


  • Read call log
  • Read your contacts
  • Read your own contact card

Why these permissions: Facebook Messenger is a messenger app, and it has the ability to sync up with your phone contacts. (That’s a separate process altogether, but it still has to declare the permission up front if it’s going to do any of it from your phone.)

SD card

  • Modify or delete the contents of your SD card
  • Read the contents of your SD card

Why these permissions: Facebook’s addressed this one directly already regarding its Facebook proper app, but it’s also a pretty standard permission for any app that needs to cache data somewhere. In this case, think your friends’ contact pictures. Instead of downloading them every time you use the app, which is slow and costs data, it stores them. (And that’s just one example.) And “SD card” is a misnomer (and another example of how permissions can be clunky), because it’s not actually talking about a physical SD card.


  • Find accounts on the device
  • Read Google service configuration

Why these permissions: Facebook Messenger is a Facebook app. And you know how you’re able to use your Facebook account to sign into other things. (Including our Mobile Nations sites, actually.) And if you look in the main accounts settings on your device, you’ll see the Facebook service listed here. Thus, the permission.


  • Change network connectivity
  • Download files without notification
  • Full network access
  • Receive data from Internet
  • View network connections
  • View Wifi connections

Why these permissions: This sort of thing often sounds far more scary than it should. First, the obvious: Facebook Messenger needs a data connection. Full stop. That explains most of that there. As for downloading files without notification, ever wonder how Facebook apps sometimes look different even though you didn’t actually update the app? There you go. (Not saying we’re a fan of that one, by the way. We’d prefer transparency.)

Other permissions

  • Run at startup: Facebook Messenger is a messaging app. In order to be effective, it needs to be open. So it sets itself to run at startup in the background.
  • Draw over other apps: Two words: Chat Heads.
  • Control vibration/prevent phone from sleeping: Pretty standard for notifications in an app like this.
  • Read sync settings: Lets the app see if background syncing is on.
  • Install shortcuts: Again, Chat Heads and your home screen.


The Bottom Line

This is no where near as scary is what people are making this out to be. Most of the comments are coming from people who don’t understand app permissions and get worked up without researching. I guarantee you that you don’t even need to install an app before all your SMS and phone calls are being collected, your phone has been tapped since you bought it. Getting upset over some app permissions is just silly.

You can read more about system permissions in regards to:

Once you have a better understand of permissions they wont be so scary.

Source: Huffington Post, Android Central