Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections. A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device – a problem compounded by Facebook's …
Encrypt your iOS backups!
On all that when I had an epiphany and realised there is more to life.
Encrypting backup goes without saying!
A less elegantly worded report is on my site @ http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft for those wanting more detail
Only works on iOS jailbroken devices.
Jailbreaking an iOS device removes all built-in safeguards.
Don't jailbreak your iOS device and the problem disappears.
Re: Only works on iOS jailbroken devices.
Incorrect, perhaps the article here is not as clear as it should be, the data can be accessed whether jailbroken or not.
It's just easier to get to that data if your are
"any Android application granted permission to "modify/delete SD Card" could do the same thing"
I understand that managing fine-grained access controls is difficult, both for developers and users.
But seriously, some sets of permissions are clearly very powerful indeed, and should be far more stringently controlled. I have similar irritation with Facebook's own notion of access control granularity for its apps.
"Facebook logins easily slurped from jailbroken iOS devices, all Android kit"
Oh wait, then less people would read the article.
Re: Misleading title
Thats not how I read it, I read it to mean that all IOS devices are vulnerable but only when connected via a USB cable .... JailBroken IOS are vulnerable from apps
And the fact that Android is more open and gives you access to your files is a good thing, poor developers that don't encrypt and protect data is a bad thing.. ..
Re: Misleading title
Devices don't have to be jailbroken to get to the data.
Android is quite capable of hiding data from other apps since it uses an ext2 Linux file system and allocates a unique user to each installed app, providing an appropriately chmodded private storage directory for each one. It's purely a developer choice to store credentials on the shared file system (except for rooted devices and even most of those have a barrier preventing unauthorized elevation of privileges).
Yes, this is a programming error by FB.
Their app should never have been coded to store the login data on the SD Card in the first place, that is an elementary Android Security 101 mistake. Any Android programmer should know to store secure data in the program's own secure install directory.
Re: Yes, this is a programming error by FB.
I get the impression that Android programmers are considered obsolete by big brands in the app development world. Any Android programmer would indeed know that, but companies give their code to an intern and ask them to translate it into Android for the other 60% of their userbase.
Seen the offering from Instagram?
Facebook are aware of this "temporary" problem and have announced that a fix will come out soon
You clicked the wrong button.
Also that should read "Facebook have willingly and implicitly allowed selected partners direct access to your information in exchange for money"
Which is sadly not a joke.
I should expect so too, since it's just incompetence on Facebook's side. On iOS there's the keychain exactly to allow developers securely to store information without having to know anything about the topic for themselves, and I'd be extraordinarily surprised if there's no similar API in Android.
Facebook's developers have simply been lazy.
Agreed, the same can be said of 3rd party apps storing access tokens in plain text plists
"Facebook was already aware of the problem and working on a fix"
So many times I have seen that line trotted out. Time to think up a new one, Faceplant.
Re: "Facebook was already aware of the problem and working on a fix"
As I said, it is a temporary problem.
It'll be fixed by 4002.
"dodgy software from unreliable sources"
> those who download dodgy software from unreliable sources sometimes deserve what they get
...you mean, like, any Android owner, using the Android Market?
(In ICS they seem to have renamed it the "Play Store", which is kinda what it is - not a proper store at all. The store owners don't know what they're selling and don't care if it hurts you - caveat emptor to the max.)
One thing I'm not entirely clear on from the article...maybe I misread it...
IOS sandboxes applications, yes/no? But Android relies on a permission model, not sandboxing? So which is better?
Genuine query btw.