Over the last month or so, iOS apps have been under the spotlight with regards to security loopholes, this time it's Facebook. This issue does also apply to many other social network sites such as LinkedIn and Dropbox and apps that use these sites to authenticate users on iOS.
Facebook for iOS was allegedly to post a security threat to its users when security researcher Gareth Wright found out that the iOS app actually keeps the authentication tokens in a plain text file. This as far as we know is yet to happen, but kudos to Gareth for pointing this out and reporting this security flaw where many others wouldn't. Whether auth keys are stored this way or not isn't the main issue, the problem lies with the fact that the file can actually be copied to other iDevices or synced from a hacked backup. In simple terms, anyone who can access this text file can have full access to your Facebook account and use it to steal your identity or other such social cyber crimes.
What has Facebook said about this iOS security issue?
Facebook has replied to news agencies with the following comment, although they seem to omit the likelihood of unsecure backup hacking which we think is the easiest method.
Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, “unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.” To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
Apart from CNET, 9to5Mac.com, Gareth Wright and a few others, this story has been relatively ignored and this is slightly perplexing. There have been far more incidental topics like location services and iPhone tracking over the last 12 months that were over hyped, this we feel is not. But maybe people are just tired of hearing about how many security loopholes their mobile devices have. But really this latest fail should directed at companies to take more responsibity for security on their mobile devices.
How can Facebook fix this iOS security issue?
The the big question is, should you be worried? It depends. In order to get this text file, the person must have physical access to your iDevice or a PC with an un-encrypted stored backup including the Facebook app file. Encryption of the file will be futile as a second file would still need to be on the device, thus meaning whether it is in plain text or not files can still be re-used. We suggest that Apple and other app makers should carry out the follow basic steps:
- Not storing this info in the backup period, users should have to log in after a restore.
- The iPhone app authentication file should have a shorter life span (not 2000+ years as mine said), say 24hrs.
- Encode the device name into the authentication file. This will lock the file down to the device it was created for, meaning it can't be transfered.
- Alert users multiple location logins, visability of a hack is a great and simple idea.
How to check your iPhone or iPad backup for stored Facebook and LinkedIn authentication data.
You can do this using our iPhone Backup Extractor software and accessing your backup in Expert Mode. You won't be able to read the data or use it to sign into Facebook unless you know what your doing, but you can see how easy it is to get the files. Before people get worried this only shows the possibility of access, unlike other sites we have withheld publishing any methods and don't condoan this usage. There is no feesible reason why a ligimate user would need this information, everyone should know their log-in details or be able to reset via other means such as email.
When restoring from your iTunes backup you already have access to your Facebook App, ever noticed?
You can test this all out for yourself on a small scale, make a backup of your iPhone (logged in to Facebook). Then on your iPhone log out of Facebook, it does exists even though no one seemly uses it. To find it go to the bottom of the left menu and click “Settings”, click “Log Out”. Then restore from the backup you just created, et voila, you now have access to your Facebook app without the need of signing in again? So, you must be responsible with your own iPhone, Social app logins and how you store your backups. Plug iPhones, iPads and iPods only to trusted devices, modify your settings to increase security level, and ultimately, take care of your iDevice. You never know, somebody out there might want to be “you”?
Let's hope this issue will get fixed soon! Are you worried about the security hole found in Facebook App for iOS?