Yesterday, my phone suddenly started downloading something called “Facebook build (somethingorother).” It didn’t show any progress, wouldn’t go away, and I worried that maybe it was a piece of malware or something buggy. A quick search turned up nothing. A later search found other people asking what this was. Late last night, there were articles about “Hey, why is Facebook updating itself!”
It turns out that yes, Facebook is now downloading its own updates on Android phones and tablets instead of just pushing them out through the relevant app stores (Google Play and Amazon, mainly). I’m sure they thought it was a great idea — web browsers like Firefox and Chrome have been doing this for several years on the desktop.
The problem is that it violates expectations of what the app will do, and where your software is coming from.
Imagine your car’s manufacturer issues a recall. Now imagine three scenarios:
Scenario 1: You receive a notice of the recall, asking you to make an appointment to bring the car in for maintenance. (For those of you who don’t drive, this is how it normally works.)
Scenario 2: You receive a notice offering to send a technician out to do the repairs at your home or workplace. (This would be awesome, but impractical.)
Scenario 3: You’re sitting in the living room when you hear a noise from the garage. You go out to investigate and find someone messing with your car.
That’s what this feels like.
It’s one thing to offer software through third-party channels. The fact that it’s possible is one of the reasons I prefer Android to iOS. In that case, notifying me of updates, maybe even simplifying the download would be very convenient — if I know ahead of time that it’s going to happen. And if they’re not switching channels on me. A download coming from some new location, but claiming to be a familiar piece of software, and a notice telling you to install it? That’s how trojans work.
In short, it’s a violation of trust…and if there’s one thing we’ve learned about Facebook over the last few years, it’s that the social network has enough problems with trust.
To be fair, they download an updated web site to your computer *every* time you visit Facebook in your browser… š
I don’t mind auto-updating… I use the Aurora version of Firefox that has daily updates, which come straight from Mozilla rather than through Google Play. Like these new Facebook updates, these don’t appear to actually install automatically, but will download and prompt you.
But if an app *installed from* Google Play is actually prompting people to enable “install from unknown sources” to update itself, that seems to violate best practices on Android. Great option to have, but probably shouldn’t be enabled without knowing what you’re doing… the regular version of Firefox updates only regularly through Google Play.
“But if an app *installed from* Google Play is actually prompting people to enable āinstall from unknown sourcesā to update itself…”
That’s exactly what it’s doing:
https://hyperborea.org/journal/wp-content/uploads/2013/03/facebook-update.png
I agree that updates are fine *if you’re expecting them*. Otherwise, it looks enough like malware to bring up warning flags for the power users and train the average user to ignore those flags.
The webpage doesn’t have near as much permissions as Facebook application on Android. If I recall, it’s not only violation of trust, but violation of Google Play terms, isn’t it?
You go out to investigate and find someone messing with your car.
At first he won’t say anything except “I’m here from the manufacturer.” No ID, no mention that there’s been a recall, nothing. You call your friend who has the same model car and she says “OMG, there’s a mechanic fucking with my car too! What the hell?” Then the electricity goes out in your garage and the guy stops working and just sits there. Still won’t say anything and won’t leave. Eventually you have to threaten to call the police to get him to leave. Fortunately he hasn’t actually done anything to your car. The next day you get a call from the dealership saying there’s been a recall…