Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.
Norton: Android app skips consent, gives Facebook servers user phone numbers | ZDNet
Norton published findings that Facebook’s Android app has sent millions of people’s phone numbers to its servers upon launch, without users even logging into the app. UPDATED.
Misbehaving incompetently. Any real skimming should have encrypted the number strongly before transmission OR a sneaky skim could have used the phone number as a unique seed for encryption – and then only transferred it through reflection in normal traffic.