According to security gurus Symantec, Android owners who use the official Facebook app are having their phone numbers stored without their knowledge. This is standard practice when using the contact sync feature in the Facebook app, but this security flaw is sending mobile numbers to Facebook servers as soon as the app is opened. Oh boy.
Norton found this security flaw while running a routine test with their Mobile Insight app, which uses various analysis techniques to seek out risky and malicious behavior in Android apps.
“Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.
According to Google Play, hundreds of millions of devices have installed the Facebook application and a significant portion of those devices are likely affected.
We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers.” – Official Symantec Blog
While the cause of the security flaw is unknown, Facebook has promised to provide a fix for this problem in the next update of their official Android app. For the sake of our privacy, let’s hope that happens soon.