Let me fix that
Verify this, bitch.
Facebook app developers will need to verify their account with the social network before they are allowed to create applications under a new scheme, but experts are nonplussed by the proposals. The scheme relies on authentication via either confirming ownership of a particular mobile phone number or submitting credit card …
But you don't upload code, thats the whole point of using an API.
If they really do wish to be secure they should look into the same procedures Apple kinda use.........simply test the apps. A monitoring system could constantly check an app to make sure it hasn't changed, if it has then it needs to be authorised again.
A lot of work............but what the hell it's not my job! :)
I remember taking a quick look at Facebook development a bit of time back, and I believe the code of a Facebook App is not hosted on Facebook. A Facebook application uses what they call a canvas which is an iframe pointed at an external server URL (application callback URL) around which they place the standard face book bits (including adverts).
This means that Facebook avoids a lot of the bandwidth issues but also means that as far as I know they cannot preview the code (or the request responses) in any way. They could review the application by navigating to it, but as it could modify the response dependant upon client IP, Facebook User, etc. this might be of limited use. Particularly as the dodgy bit could be turned on later.
Yeah, on the Koobface article it said facebook automatically check links posted but they were just redirecting requests from within facebooks IP space to a benign page.
Maybe they could have setup some honeypot profiles to test the apps on then monitor what happens?
There is the iframe option or the 'fbml' option.
In the second case, the facebook server calls your URL, retrieves the webpage, sanatises it, and serves the result to the user.
A thought on their process (ignoring the fact a throwaway mobile is cheap for serious fraudsters)
1) create app through legitimate account.
2) assign 'app privilege' to dodgy account.
3) remove app privilege from real account.
I wonder if they keep a 'paper trail' to avoid this situation?
Mr Ferguson, the security expert has obviously never looked at anything Facebook put out .They don't have time to look at their OWN code never mind anyone else's.
Also as someone has pointed out FB apps aren't on their servers. My app (which is a very modest 3600 lines of PHP) is currently sitting on about 700 servers. So Facebook could, I suppose vet my original app each time I change it (which has been about 20 times in the past week due to their crazy implementation timescale for Oauth2) and say its not rogue but there is nothing to stop any of the people using my app from changing something in it and basically making their copy "rogue"
Yes there is a problem with rogue apps but Mr F's suggestion is totally impractical and maybe he should do some more research into how things work before giving us his "advice" next time.