Facebook Messenger has abundance of permissions

Facebook Messenger has abundance of permissions

Lately, there has been quite a bit of talk about how Facebook Messenger for Android has an abundance of permissions, permissions that may seem out of the spectrum of what a messenger app should need.

Since Facebook no longer allows users to use its flagship Facebook app to send messages, users must now install the new Facebook Messenger app to regain this functionality.

This isn’t the first time questions have risen about Facebook’s long list of permissions. When they first introduced the Facebook app, it came packed with permissions (and it still does).

Let’s first look at the Facebook Messenger app permissions:


In comparison, the Facebook app has all the same permissions, plus Device & app history permissions.

Before you decide to toss Facebook aside and start using Google Hangouts, the messenger for Google Plus, note that it has the same permissions as Facebook Messenger.

The question is whether or not Facebook, Google, or other well-known companies with apps in the Android Play store need the long list of permissions in there apps?

Let’s look at some of the more troubling permissions in Facebook Messenger; location, SMS, Camera/Microphone, and Device ID & call information.

  • Location permissions are used to show the location of where you are sending the message from.  It’s arguable whether this is really necessary, but the function is there.
  • SMS is being used for when you add a phone number to a Facebook messenger account, it can confirm the phone number being used by sending a confirmation code via text message.
  • Camera permissions are so you can use the camera to take a picture to send through messenger, and microphone permissions are used so you can record and send audio.
  • Device ID & call information is used to initiate outgoing calls so you can call friends and family through the messenger app.

In other words, Facebook is NOT tracking your every move, NOT looking at your SMS messages, NOT using your camera and microphone to spy on you, and NOT tracking all your call information.

Facebook and other companies are going to continue to come out with feature rich apps, and the more features they have, the more permissions they will need.

Many of these permissions would be a huge red flag that something fishy might be going on. The difference between good apps and bad apps is how the permissions are used in the code.

It’s the code that contains the malicious intent, but it’s not always easy to tell what permissions are legitimately being used, and which are being exploited.

That’s why we are here to make those hard decisions to keep our customers safe.  So yes, it’s a little scary when apps have an overwhelming list of permissions. This is especially true with social media apps that handle content that some may consider “private”.

One more thing worth mentioning: with all these permissions, you want to make sure you have the correct Facebook Messenger app from the Google Play store.

You’ll know it’s the right one when you see the package name “com.facebook.orca” with a large amount of downloads and reviews.  The package name displayed in the URL on the Google Play site after “id=”.  It would be bad news to get a knock off app with this many permissions from a third-party market.  Stay safe out there.

Nathan Collier


Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.