Feeds

back to article Facebook logins easily slurped from iOS, Android kit

Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections. A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device – a problem compounded by Facebook's …

COMMENTS

This topic is closed for new posts.

Encrypt your iOS backups!

1
1
Anonymous Coward

gave up

On all that when I had an epiphany and realised there is more to life.

2
1
Thumb Up

@Slith

Encrypting backup goes without saying!

A less elegantly worded report is on my site @ http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft for those wanting more detail

1
3

Only works on iOS jailbroken devices.

Jailbreaking an iOS device removes all built-in safeguards.

Don't jailbreak your iOS device and the problem disappears.

1
5

Re: Only works on iOS jailbroken devices.

Incorrect, perhaps the article here is not as clear as it should be, the data can be accessed whether jailbroken or not.

It's just easier to get to that data if your are

4
0
Ru
Unhappy

"any Android application granted permission to "modify/delete SD Card" could do the same thing"

I understand that managing fine-grained access controls is difficult, both for developers and users.

But seriously, some sets of permissions are clearly very powerful indeed, and should be far more stringently controlled. I have similar irritation with Facebook's own notion of access control granularity for its apps.

0
0
Anonymous Coward

Misleading title

Should read:

"Facebook logins easily slurped from jailbroken iOS devices, all Android kit"

Oh wait, then less people would read the article.

1
9
Anonymous Coward

Re: Misleading title

Thats not how I read it, I read it to mean that all IOS devices are vulnerable but only when connected via a USB cable .... JailBroken IOS are vulnerable from apps

And the fact that Android is more open and gives you access to your files is a good thing, poor developers that don't encrypt and protect data is a bad thing.. ..

5
0

Re: Misleading title

Devices don't have to be jailbroken to get to the data.

5
0
FAIL

Android security

Android is quite capable of hiding data from other apps since it uses an ext2 Linux file system and allocates a unique user to each installed app, providing an appropriately chmodded private storage directory for each one. It's purely a developer choice to store credentials on the shared file system (except for rooted devices and even most of those have a barrier preventing unauthorized elevation of privileges).

4
0
Anonymous Coward

Yes, this is a programming error by FB.

Their app should never have been coded to store the login data on the SD Card in the first place, that is an elementary Android Security 101 mistake. Any Android programmer should know to store secure data in the program's own secure install directory.

1
0
Silver badge

Re: Yes, this is a programming error by FB.

I get the impression that Android programmers are considered obsolete by big brands in the app development world. Any Android programmer would indeed know that, but companies give their code to an intern and ask them to translate it into Android for the other 60% of their userbase.

Seen the offering from Instagram?

0
0
Joke

Facebook are aware of this "temporary" problem and have announced that a fix will come out soon

2
0

You clicked the wrong button.

Also that should read "Facebook have willingly and implicitly allowed selected partners direct access to your information in exchange for money"

Which is sadly not a joke.

1
2
Silver badge

I should expect so too, since it's just incompetence on Facebook's side. On iOS there's the keychain exactly to allow developers securely to store information without having to know anything about the topic for themselves, and I'd be extraordinarily surprised if there's no similar API in Android.

Facebook's developers have simply been lazy.

2
0
FAIL

Agreed, the same can be said of 3rd party apps storing access tokens in plain text plists

1
0
Bronze badge
Pint

"Facebook was already aware of the problem and working on a fix"

So many times I have seen that line trotted out. Time to think up a new one, Faceplant.

0
0

Re: "Facebook was already aware of the problem and working on a fix"

As I said, it is a temporary problem.

It'll be fixed by 4002.

1
0
Anonymous Coward

"dodgy software from unreliable sources"

> those who download dodgy software from unreliable sources sometimes deserve what they get

...you mean, like, any Android owner, using the Android Market?

(In ICS they seem to have renamed it the "Play Store", which is kinda what it is - not a proper store at all. The store owners don't know what they're selling and don't care if it hurts you - caveat emptor to the max.)

0
0
Boffin

One thing I'm not entirely clear on from the article...maybe I misread it...

IOS sandboxes applications, yes/no? But Android relies on a permission model, not sandboxing? So which is better?

Genuine query btw.

0
0
This topic is closed for new posts.