Denials don't fix Facebook security flaw on iOS, Android

Unencrypted, 'temporary' user credentials available to simple malware until year 4001

Technology geeks tend to be better at logic and math than mostother species of geek, so it's odd this hasn't come out before, as a theory based on mathematical projections, if nothing else.

See if it adds up for you:

    IT Syllogism Puzzle of the Day:
  • If: Facebook is famously insecure and exploitive in the way it uses the personal information of customers;
  • And: Smartphones running Android (and, to a lesser extent, iOS) are famously insecure in the way they store personal data, transmit it and allow apps permission to read, write or invent it;
  • Then: Facebook apps running on Android and iOS smartphones ______________?
  • If your answer was "Facebook on Android and IOS smartphones are even more insecure," you win. Take the weekend off.
  • Extra points if you added expletives for emphasis. Level up if your answer was: "Therefore, Socrates is a cat."

Today's sadly obvious (in retrospect) revelation about smartphone insecurity is that the Facebook apps running on Android and iOS do not encrypt user login credentials either while they're stored on the phone or while they're being broadcast across Wi-Fi or cell networks as their users log in, according to a British developer who builds apps on both iOS and Android.

When users log in using the Facebook app for iOS or Android, the app creates a set of "temporary" credentials it stores in an unencrypted, unsecured property list (.plist) file accessible to anyone with physical access to the device or any apps running on it, according to designer and developer Gareth Wright, who discovered the flaw, blogged about it April 3.

Some iOS games do the same thing, but use iOS security to keep data on high scores from being released and only store user data for 60 days, according to TheRegister.

Facebook is more liberal; it defines "temporary" as lasting until the year 4001.

The Facebook app stores user data in a .plist, which is protected on Android only if the user is far more strict in permissions granted to other apps than is usual.

Wright wrote a proof-of-concept app designed to scarf up as many .plists as possible, collecting more than 1,000 before taking his findings to Facebook with a warning about the security flaw.

Facebook is aware of the problem and is working on a fix, Wright found after warning it about his findings.

Facebook also spinning the revelation as hard as it can, claiming in its official response – and several storiesbased on it – that the security hole makes the Facebook app vulnerable only if the phone has been jailbroken or an identity thief has physical access to the phone itself.

Not true. According to Wright, any Android app that has permission to store or modify data on the SD card can also see the unencrypted .plist the Facebook app leaves behind.

That would make them vulnerable to any rogue app or malware designed to collect as much information as possible and phone it home (which, on Android, is far too many of them).

"We have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak," according to a story in TheNextWeb.

Even worse, for those hoping the cloud could save them from irreparable data loss or inaccessibility, the app distributed by file locker Dropbox uses the same .plist security flaw, making Dropbox profiles vulnerable to hacks or malicious software on iOS and Android devices, TNW's testing found.

Facebook is working on a patch, but app developers who build in connections to Facebook have to add their own encryption to the 60-day access token Facebook supplies, Wright told ZDNet.

If they don't, "it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already."

Here is Facebook's official response: "We have noticed several articles claiming your Facebook account is at risk if you use Facebook for iOS or Android. This is NOT true.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if users have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. To protect yourself we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues." – Facebook response to iOS/Android app bug reports, April 5, 2012

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies