Default post cover image

Facebook store insecure authentication tokens in iPhone backups

Andrew Coles

by Andrew Coles

Over the last month or so, a handful of iOS apps have been under the spotlight with regards to security weaknesses and iPhone tracking. Now it's Facebook's turn, although the issue in question applies to many other social network sites such as LinkedIn, Dropbox, and apps that use these sites to authenticate users on iOS.

Security researcher Gareth Wright found Facebook's iOS app keeps authentication tokens in a plain text file. Those tokens are equivalent to the password you use to log in.

Storing authentication tokens in a backup isn't necessarily a bad idea. After all, if you have to restore your phone from a backup, it's nice to see everything logged in as it was, and the token is necessary to do this. You can see how this works with Facebook's current implementation:

  • Log in to the Facebook app on your iPhone, and back it up with iTunes
  • Log out of the Facebook app on your iPhone (go to the bottom of the left menu and click Settings > Log Out)
  • Restore the iTunes backup to your phone

You'll see you're logged back in. Neat.

The road to hell is paved with good intentions

Whether Facebook stores its authentication token in the backup isn't the main issue. The biggest problem here is that the token isn't encrypted, doesn't have a device-specific element to it, and isn't time-limited. That means that someone could pull the file from your backup and import it to their own device. In simple terms, anyone who can access this file can have full access to your Facebook account and use it to steal your identity or track your activity.

In addition to this, many third-party apps and services use Facebook as an authentication service. If a hacker is already signed in to your Facebook account, they could also access these services using it.

Facebook has replied to news agencies with the following comment, although they seem to omit the likelihood of unsecure backup hacking which we think is the easiest method.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

Should you be worried? In order to get this file, the person must have physical access to your iOS device or a PC with an unencrypted stored backup. A casual hacker may not have access to those, but a determined one might be able to arrange such access.

Clearly, app publishers such as Facebook could help themselves with the following:

  • Apply additional encryption to authentication tokens in backup
  • Ensure the tokens have a device-specific element so that they cannot be used on other devices
  • Set the tokens to have an expiry date in a near future
  • Alert users to new logins to a service from restored tokens

Want to examine your own Facebook authentication token?

iPhone Backup Extractor reading the Facebook auth token
iPhone Backup Extractor reading the Facebook auth token

You can do this using iPhone Backup Extractor and accessing your backup in "Expert Mode". You won't be able to read the data or use it to sign into Facebook unless you know what you're doing -- and we've withheld publishing how to do this for security reasons -- but it doesn't take much to figure it out.

Andrew Coles

by Andrew Coles on , last updated

We've helped over 3,000,000 people recover their lost iPhone data. Let us help you too.

Related posts

Submit a comment

© 2008 - 2018 Reincubate Ltd. Registered in England and Wales: #5189175, VAT GB151788978. Built with ❤️ in London.

Reincubate is a registered trademark. All rights reserved. Terms & conditions. Privacy Policy. It's your data, not ours. We recommend 2FA.

close

For personal users

For businesses and pro users

Scroll down for business and pro plans

Basic

$34.95

iTunes support

Works with Windows and Mac

Customer support

Preview iCloud device list

BUY BASIC

Premium

$69.95

iCloud and iTunes support

Works with Windows and Mac

Customer support

5 iCloud devices

BUY PREMIUM
Jonathan

This is iPhone Backup Extractor, think of it as a "personal forensics" utility. It's pretty awesome.

Jonathan Zdziarski

Forensics and iOS expert

For business and pro users

Business

$299.95

25 iCloud devices

High priority customer support

Commercial license

All benefits of our premium plan

BUY BUSINESS
ricloud
Demo our APIs for enterprise

Need iCloud access, forensic tooling, bulk recovery of deleted SQLite data?

Learn about our APIs at www.reincubate.com.