The Russian-made FaceApp has been around since the spring of 2017 but taken social media by storm over the course of the past few weeks as millions of people downloaded the app to see how they would look when they are older or younger, or swap genders.
The app also contains a feature that allows users to download and edit photos from their Facebook accounts, which only works when a user enables FaceApp to access the social media account via the 'Login with Facebook' option.
As you can see in the screenshot above, besides requesting for access to your basic profile information and photos, FaceApp also fetches the list of your Facebook friends "who also use and have shared their friends' lists with FaceApp."
Have you yet asked yourself why this app asks for permission it unlikely need to perform its intended function?
FaceApp Unnecessarily Access Your Facebook Friends Lists
Indian security researcher Athul Jayaram recently contacted The Hacker News raising a huge red flag about the collection of users' Facebook friend list data that FaceApp currently doesn't use in any way to function itself or power any of its features.
"When an app asks for permissions that are unnecessary to its functioning, you should think twice before downloading it."
We also tried to find if FaceApp in someway is using this data to "enhance the user experience," but we failed to find one that justifies the collection of this particular data.
Apparently, the feature has now been discontinued, but the app still collects your friend list when you choose to Login with Facebook.
"We don't have this data anymore and planning not to request this permission soon. We used to have some social features (Social Stylist: you could invite your friends to vote for the best style, have a feed, etc.), those features needed this permission," Goncharov told The Hacker News.
"Please note that don't require a Facebook login for FaceApp to work, so only a few users are logged in."
It's a concerning issue considering the fact that the app has recently gone viral worldwide, crushing the App Store in 81 countries in just 6 days and climbing to number 1 spot from 1,370 on the top free apps chart in the US in only 5 days.
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
The Hacker News has also contacted Facebook, informing them about this FaceApp practice and asking them to comment on the matter.
How to Stop FaceApp From Accessing Irrelevant Personal Data
No doubt, "Login with Facebook" service makes logging in and creating accounts for various third-party online services, apps and games easier, but most of the times developers request access to a lot of your data unnecessarily.
FaceApp works completely fine without even connecting your Facebook account with the photo-editing app when you choose to select photos from your device storage, but if you still want to use the app to download Facebook photos, you can do it without revealing your Friends List.
While connecting your Facebook account with FaceApp or any other third-party service, Facebook displays a page with an edit button, allowing users to toggle OFF permissions they don't want third-party apps to access.
However, if you have already given FaceApp permission to access your Friend list or any other unnecessary permission, you can also edit it in your Facebook account settings under "Apps and Website" section.
FaceApp CEO Goncharov suggests that users can request the company to delete all data from FaceApp's servers by using 'Settings→Support→Report a bug' with the word 'Privacy' in the subject line.
Other Recent FaceApp Privacy Concerns
It is not the first time when FaceApp has been under scrutiny related to privacy issues.
Besides this, during the same time, another concern was raised that FaceApp wasn't just accessing users' submitted photos but also grabbing the entire camera roll from users' phones.
However, it was not the case, as French security researcher Baptiste Robert, who goes by Elliot Alderson on Twitter, refuted the speculation through his technical investigation, confirming that the app only uploads a photo selected by a user to its server for editing.