Sunday, May 7, 2017

Watch after your privacy: Needy Facebook Apps

Some of us (included myself) share a lot of personal information in Facebook. By nature we avoid publishing anything confidential nor delicate. We usually try to friend people who know for real. But often we forget about connected apps that have access to all our account, anytime, and that can act on our behalf.

A few weeks ago I saw a friend sharing some unusual posts lately. This person was never notified that this weird and garbage posts were made on their behalf. When I pointed it out my friend replied that was unaware of this, and thought has been hacked.

"Not so fast!" I said, and we reviewed together the almighty Privacy tab in the Facebook settings.

We didn't find anything suspicious there. So we moved to the Applications tab.

We found the rat! đŸ€
As an astonishing surprise, we found a huge list of around 120 apps connected to the account. This are listed in the first section of the page called "Logged in with Facebook". This apps are third party companies that have access to a variety of information and actions on our behalf. Each app has its separate configuration.

To see what privileges each app has you can click on top of it to open a detailed window. Be careful not to click on the "x" that is shown when you hover the mouse on top of the particular app.

Example of the privileges an app has

Any app can be as needy as the company who created it wants, and even have the ability to post on your behalf. To know more about what permissions an app can request see the technical Facebook developer documentation in this link.

Going deeper on the problem
How this ~120 apps ended up in my friends account? Sometimes this surveys/quizzes that we take ask to link to our account and we oversee the requirements by just pushing "I accept"/"Link to account".
Some other times it's the default way to log in in other services, like Duolingo or Spotify (Please don't remove this apps otherwise you will have troubles logging in back again at their respective services).

In the past, apps used to always show a window specifying what things will be granted. This is no longer the case. Nowadays some games for example will automatically link to your account if you just open them. It will just display a small warning like this below.

By clicking on "Play Now", the company that created that game will have access to your full name, your email address, your list of friends, age, gender, profile picture, language, country and other public info.

How to be safe
The rule of the thumb is that most of the apps should not require any special permission than "Public profile". But for example apps like Duolingo also ask you to have access to your friends list, so that way the can show you a leaderboard of how well are your friends doing.
If you find an app that it's really needy, you can edit the permissions before installing it by clicking in "Edit the info you provide" shown in the previous picture.

Alternatively if you already have an app linked to your account, you can go to the app tab in your settings (, click on a given app and review what you are providing to them (check the third image in this article titled "Example of the privileges an app has").

What if we have old quizzes or other apps we will never use again?
I recommend go ahead and remove it! To do so, in the apps tab of Facebook settings hover the mouse on an app that you want to get rid of, click on the "x" that appears near the name of the app and you will be prompted by a dialog like this one below. But no so fast! I would strongly suggest to check the "Delete all your ____ activities..." so anything evil that the app published on your behalf is also removed.

Remember to stay safe!