Zoom Removes Facebook SDK on iOS Because It Sent Back Unnecessary Information

After reports that the Zoom app on iOS was sending details about the users’ devices to Facebook, even if they had no Facebook account, the company announced that it removed the Facebook SDK from the application.

The Facebook SDK sends telemetry back, usually about devices it’s installed on, including hardware and operating system. While this information might help Facebook determine the hardware the apps are being installed on and the software ecosystems used, it’s at least strange to see the SDK send back this data for users who have no Facebook account or didn’t choose to use the Facebook login feature.

An investigation by Motherboard revealed this fact about the Facebook SDK implemented into the web conferencing app Zoom. It turns out that analytics was shared when users simply opened the app. The information sent back included details about the time zone, the time the app was opened, the default language, the iOS version, the IP address, the mobile carrier, and hardware details about the device itself.

Zoom implemented the Facebook SDK to let users log in by using their Facebook credentials, but after the investigation revealed that it was doing more than that, the team decided to remove it entirely.

“We were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services,” said Zoom in a blog post. “The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc.”

“We decided to remove the Facebook SDK in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser.”

An update is now available for the Zoom app, and users need to install it as soon as possible. It’s still possible to log in with Facebook credentials, but new users will have to use the web version through the default browser.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Silviu STAHIE. Read the original post at: