You are right. What you say about Facebook is true, but Google's Android is open source, so there is no way they can plant a privacy-invading code and get away with that.
No phone on earth runs the open source version of Android that you can download from git. They all run custom versions that include not only closed source personalizations to the system, but they also run lots of closed code as root (play services first and foremost).
The reason why this doesn't happen with Android is much more mundane: most Android phones are not encrypted so the FBI doesn't need help to read all the customer data. They just need to open the phone and dump the flash.
Seems to have been broken since 2007 (the 'broken' line appears in the 2007-01-01 commit "Bump year" but not in the 2006-10-06 commit "Mark rand.c functions with U.")
Just because it's open source doesn't mean it's safe. You have no control of what happens to that code before it gets installed on a phone. Samsung, whomever can and do modify the code -- those modifications aren't generally open source.
Ruby on Rails is open source but that doesn't mean that all applications on rails are open source.
> Samsung, whomever can and do modify the code -- those modifications aren't generally open source.
That will certainly change quite soon. In the earlier days, FOSS was not a concept that masses were aware of, but now is different. There is increasing competition in the smart-phone world and if one of the other manufacturers (say ASUS) makes their Android modifications open-source, they will see a drastic increase in Sales. To keep up with competition, Samsung, etc. will also have to do the same. In other words, competition will ensure the success of open source.
