The problem is that the apps’ security settings save users’ authentication keys in unencrypted plain text files (called plists) and that could easily be stolen by copying the plist from one iOS or Android device and pasting it into the same directory on another device.
Facebook has issued a statement, effectively blaming the security gaffe on jailbroken devices:
“Facebook’s iOS and Android applications are only intended for use with the manufacturer-provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android), or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment, and security, all of which is compromised on a jailbroken device. As Apple states, “Unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.”
To protect themselves, we recommend that all users abstain from modifying their mobile OS to prevent any application instability or security issues.”
However, according to security researcher Garreth Wright, who first discovered the flaw, the security hole remains on devices that were not jailbroken or modified in any way:
“I feel I should reiterate Facebook is playing this down and that’s fine, but saying it only affects stolen and jailbroken phones is not. The biggest risk is from malware and viruses designed to slurp data from devices plugged into PCs, so despite what any other articles say, jailbroken or not, you are vulnerable. When tested, this worked on locked, pass-coded, unmodified iOS devices.”
Wright also shares some critical steps to take to protect your smartphone:
- Pick a complex password, not a simple four-digit PIN.
- Turn on your device’s Find My iPhone function.
- If you charge your device on a shared computer, don’t unlock the device until you disconnect it.
Malware, Antivirus Tips
Of course, the risks associated with mobile security apps aren’t entirely new — but it’s a new twist on old fears. Consumer Reports calls Facebook “the custodian of arguably the nation’s largest collection of details about consumers’ personal lives.” It found in a survey that more than 20% of active Facebook users had never managed their privacy controls, making them more vulnerable to threats.
That same Consumer Reports “State of the Net” survey, which interviewed 2,089 online households, also revealed that 30% use their mobile phones without any security precautions, potentially jeopardizing bank information, medical records, and other sensitive data.
As this very website has previously reported, there is “a dark side” to mobile app security, and if you believe that sensitive personal information has been compromised, be sure to take appropriate action to protect yourself from identity theft.