6 Feb 2010

Review your Facebook apps permissions

How long have you been using Facebook?  For years?  Months?  Here's something you might want to do now (and every now and then going forward):

When you open a new application on Facebook, you have to approve the app to access your information (by clicking on the "Allow" button).  If you don't, you cannot use the app, so it's essential that you approve the apps that you want to use.

However, if you approve application X today, Facebook will remember that approval forever!  So, if you don't use some apps anymore, revoking access to them is a good idea.  First, open Application Settings page of Facebook.  Select "Granted Additional Permissions" from the Show dropdown list.

From the list of apps Facebook shows, here are some categories that are important:
  • Offline access: Any app that has offline access to your information can access your profile, friends, etc. even when you are not using the app.  Although it's not likely that an app would do it, technically it's possible for an app with such an access to periodically read your friends list and gather information without your knowledge.  You don't have to open that app.  You don't even have to open Facebook, for that matter.  You might want to remove this access to all apps that you don't use anymore.
  • Email: Apps that have this access can spam email you whenever they wish to.  Remove the apps from which you don't want to receive emails.
There are other access levels too.  If you don't understand what permissions an app has, click on "Edit Settings" link for that app and you can find out what all it's allowed to do:

In my case, Likeness app has offline access and the ability to post whatever it likes as my news update.

I don't really use Likeness app.  So I revoked access by clicking the "x" near its name.

But why revoke access?
Is it because Facebook applications are evil and they might steal your data?  No, at least I don't think they steal my data.  Here are the reasons that motivate me to revoke permissions:
  • People in the real world know only as much about me as they need to know.  I like to keep it the same way with machines too.  If I don't use a Facebook app, it shouldn't have access to my data.
  • It may so happen that a Facebook app has a bug and that lets some evil people access other people's data.  I don't want to be a victim when something like that happens.
  • Minimizing the number of apps that has access to my data means I am minimizing the surface through which my information can leak.  I'd like to keep it as small as possible.
Of course, you would have your own reasons.  Maybe now is a good time to review the apps that have access to your information.


  1. Hey Kannan,

    Thanks for the reminder. Just finished a clean-up.

    I was so surprised to see the number there...Pretty crazy, had not realised I interact with so many apps on facebook :D

    The new updates on facebook make apps ask an additional question - do we give them permission to use our email ID to send us updates. I think it will be very important to remember to click no if we want to keep that email ID away from spam.

    Also With the new update now I hope, we will not see any Farmville and Mafia Wars updates.... Yiippeee... :)


  2. @Freya: yes, I was surprised too. There were too many apps with privileges to my profile. I haven't gotten the new Facebook yet; but I mercilessly blocked all the apps sometime back, so I don't get much spam :)

  3. Thnx for the tip. Just logged onto my FB account and found this Zoosk app that I never approved and it just made me wonder if FB can grant permission to applications without your consent or even notifying you? Or how do I find out from which device or IP address the application granted access? Really desperate in finding this out, in this moment I'm busy searching the net but haven't come up with anything yet. Plzzzz help!!!

    1. Hi, Xolly. Facebook won't grant permissions to apps without your explicit approval, but some rogue apps trick you into granting permissions. (One of the techniques they use is called "clickjacking".)

      I don't know if you can find such detailed information about application authorisations; maybe ask in Facebook support forums?