The lack of fine-grained permissions per app is Android's fault, not Facebook's (not that they aren't benefiting).
Android application manifests means that if even just one user of your app might want to use a feature that requires elevated permissions, your entire app must be given these permissions for all users at installation time.
Which is obviously a huge security issue. What if I want to use the Facebook app but deny it permission to my address book? Not possible out of the box.
E.g. There's a feature to see if any of your phone contacts already have Facebook accounts. To service the potential people that wants this feature to work so they can easily "friend" these people on Facebook, the app must have this permission for everyone who installs it.
It's all or nothing, that's correct. Either you install it and accept it's access conditions or don't install it. A popular mod for Android (CyanogenMod) has an extension to the OS that has a toggle button to block any elected app from accessing personally identifiable information, this includes sending the app (say Facebook) an empty address book when asked, and fake details like IMEI, GPS location etc. It should be part of every mobile OS in my opinion. A feature I'm scared to live without.
I love that feature the most. Every phone and computer should have a feature like that. And permissions should be fine-grained and it should be possible to turn them off.
Yeah I wish desktop OS' had this feature. I suppose we'll be heading there. The ability to not deny but send a blank list is better than the former too. Do you know if CM is doing fine grained? I suppose it would be better of AOSP themselves did it.