Has your Facebook Android app been acting strangle lately? User reports indicate that the app has been users for superuser (root) permissions which grant Facebook full access to users’ devices. The superuser prompt says “Grants full access to your device” and not surprisingly, users started panicking over the unexpected and unnecessary root prompt. Several discussions were initiated on Reddit where users shared their experience and contempt.
It appears that the pop-ups come from the official Facebook app for Android and started showing up last night in UTC time. However, this is not the first time the app has acted this way, as indicated by various Reddit posts with different dates.
Facebook Asking for Superuser Access. So, What Is Going on?
According to multiple users, the first batch of superuser requests was triggered by the update of Facebook Android app 220.127.116.11.93. The latest complaints were likely triggered by v18.104.22.168.93, based on the experiences shared over the internet.
Security researchers believe that that the superuser prompts are a result of coding error. Avast mobile security researcher Nikolaos Chrysaidos investigated a bit and believes believes the issue stems from an SDK embedded in the Facebook app. More specifically, he believes that the prompts are triggered by WhiteOps SDK, a software development kit for detecting ad fraud and implementing domain white/black-lists.
“Along with other various checks. Facebook is probably integrating WhiteOps SDK, and they forgot to re-implement the ROOT checking functionality,” the researcher said.
Facebook Makes Mistake after Mistake
Nevertheless, this is the worst time for Facebook to make such a big mistake, with the Cambridge Analytica scandal, the forthcoming GDPR, and the overall increasing privacy concerns of individual users.
Mentioning the GDPR… In April, Reuters reported that Facebook plans to change its terms of service so that its 1.5 billion non-European users would no longer be covered by the privacy law. Until now, all users outside of the US and Canada have been governed by terms of service compliant with the company’s international headquarters in Ireland. Since any user data processed in Ireland is about to fall under GDPR’s protection, Facebook is changing the agreement in a way that users in Africa, Asia, Australia and Latin America are governed by more permissive US privacy laws.