Earlier this week, security firm Symantec discovered Facebook for Android leaks its users’ phone numbers, sending them back to the company. For its part, Facebook told TNW it has addressed the issue in a recent beta release and will be rolling out the fix to the stable app soon.
Facebook also told us it did not use or process the phone numbers in any way. Furthermore, the company says it has already deleted them from its servers.
Symantec found the flaw in Facebook’s Android app by accident. The company was working on an updated version of its Norton Mobile Security app for Android devices with its new Norton Mobile Insight technology.
Norton Mobile Insight analyzes over 4 million Android apps every day, including tens of thousands of new apps. It finds malicious applications, privacy risks, and potentially intrusive behavior via automatic and proprietary static and dynamic analysis techniques, and gives the user information about what risky behavior an app will perform.
Here’s what happened when the company was testing its technology:
The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks. Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number.
The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.
Symantec reached out to Facebook, which investigated the issue and told it a fix would be available in the next Facebook for Android release. We have since confirmed this with Facebook, and reported on the beta release that arrived yesterday. We’ll let you know when the fix is available in the main Android app.
Top Image Credit: Justin Sullivan/Getty Images