back to article Facebook logins easily slurped from iOS, Android kit

Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections. A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device – a problem compounded by Facebook's …

COMMENTS

This topic is closed for new posts.
  1. slith

    Encrypt your iOS backups!

    1. Anonymous Coward
      Anonymous Coward

      gave up

      On all that when I had an epiphany and realised there is more to life.

  2. Gareth Wright
    Thumb Up

    @Slith

    Encrypting backup goes without saying!

    A less elegantly worded report is on my site @ http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft for those wanting more detail

  3. hypernovasoftware

    Only works on iOS jailbroken devices.

    Jailbreaking an iOS device removes all built-in safeguards.

    Don't jailbreak your iOS device and the problem disappears.

    1. Gareth Wright

      Re: Only works on iOS jailbroken devices.

      Incorrect, perhaps the article here is not as clear as it should be, the data can be accessed whether jailbroken or not.

      It's just easier to get to that data if your are

  4. Ru
    Unhappy

    "any Android application granted permission to "modify/delete SD Card" could do the same thing"

    I understand that managing fine-grained access controls is difficult, both for developers and users.

    But seriously, some sets of permissions are clearly very powerful indeed, and should be far more stringently controlled. I have similar irritation with Facebook's own notion of access control granularity for its apps.

  5. Anonymous Coward
    Anonymous Coward

    Misleading title

    Should read:

    "Facebook logins easily slurped from jailbroken iOS devices, all Android kit"

    Oh wait, then less people would read the article.

    1. Anonymous Coward
      Anonymous Coward

      Re: Misleading title

      Thats not how I read it, I read it to mean that all IOS devices are vulnerable but only when connected via a USB cable .... JailBroken IOS are vulnerable from apps

      And the fact that Android is more open and gives you access to your files is a good thing, poor developers that don't encrypt and protect data is a bad thing.. ..

    2. Gareth Wright

      Re: Misleading title

      Devices don't have to be jailbroken to get to the data.

  6. Gerard Krupa
    FAIL

    Android security

    Android is quite capable of hiding data from other apps since it uses an ext2 Linux file system and allocates a unique user to each installed app, providing an appropriately chmodded private storage directory for each one. It's purely a developer choice to store credentials on the shared file system (except for rooted devices and even most of those have a barrier preventing unauthorized elevation of privileges).

    1. Anonymous Coward
      Anonymous Coward

      Yes, this is a programming error by FB.

      Their app should never have been coded to store the login data on the SD Card in the first place, that is an elementary Android Security 101 mistake. Any Android programmer should know to store secure data in the program's own secure install directory.

      1. Craigness

        Re: Yes, this is a programming error by FB.

        I get the impression that Android programmers are considered obsolete by big brands in the app development world. Any Android programmer would indeed know that, but companies give their code to an intern and ask them to translate it into Android for the other 60% of their userbase.

        Seen the offering from Instagram?

  7. Lockwood
    Joke

    Facebook are aware of this "temporary" problem and have announced that a fix will come out soon

    1. Jeebus

      You clicked the wrong button.

      Also that should read "Facebook have willingly and implicitly allowed selected partners direct access to your information in exchange for money"

      Which is sadly not a joke.

    2. ThomH

      I should expect so too, since it's just incompetence on Facebook's side. On iOS there's the keychain exactly to allow developers securely to store information without having to know anything about the topic for themselves, and I'd be extraordinarily surprised if there's no similar API in Android.

      Facebook's developers have simply been lazy.

      1. Gareth Wright
        FAIL

        Agreed, the same can be said of 3rd party apps storing access tokens in plain text plists

  8. Spud2go
    Pint

    "Facebook was already aware of the problem and working on a fix"

    So many times I have seen that line trotted out. Time to think up a new one, Faceplant.

    1. Lockwood

      Re: "Facebook was already aware of the problem and working on a fix"

      As I said, it is a temporary problem.

      It'll be fixed by 4002.

  9. Anonymous Coward
    Anonymous Coward

    "dodgy software from unreliable sources"

    > those who download dodgy software from unreliable sources sometimes deserve what they get

    ...you mean, like, any Android owner, using the Android Market?

    (In ICS they seem to have renamed it the "Play Store", which is kinda what it is - not a proper store at all. The store owners don't know what they're selling and don't care if it hurts you - caveat emptor to the max.)

  10. Silverburn
    Boffin

    One thing I'm not entirely clear on from the article...maybe I misread it...

    IOS sandboxes applications, yes/no? But Android relies on a permission model, not sandboxing? So which is better?

    Genuine query btw.

This topic is closed for new posts.

Other stories you might like