Facebook: Android, iOS security hole only for jailbroken devices

Facebook: Android, iOS security hole only for jailbroken devices

Summary: Facebook says the security vulnerability in Facebook for Android and Facebook for iOS that means your Facebook identity can be stolen only affects compromised or jailbroken devices.


News broke today of a new security vulnerability discovered in Facebook for Android and Facebook for iOS that means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. U.K. app developer Gareth Wright, who discovered the issue, said it comes down to Facebook's native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbroken devices.

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device," a Facebook spokesperson said in a statement. "We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, 'unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses.' To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."

Something didn't add up for me when I first read this. Wright previously stated that "Facebook are aware and working on closing the hole" so why does Menlo Park's statement make it look as if this really isn't an issue? Facebook clarified this inconsistency by telling me it is looking into ways to mitigate this problem, but it won't be easy.

You might be scratching your head about the fact that these authentication tokens keys are stored in plain text. Facebook explains that encrypting them won't do much good because the key to decrypt them would also have to live on the device. Facebook could force you to enter your password every time you open the Facebook app, but everyone knows that's a pain (although Facebook.com will sometimes prompt you to enter your password again).

As for the USB connection scenario, Facebook says there's no way to fix this problem. Note that in this case it doesn't matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.

I wasn't worried about this part, because it's nothing new, and it certainly doesn't just apply to Facebook. After all, nobody can write software that will protect your data from a scenario where you give someone physical access to your computer or phone.

I pressed on to get this part confirmed. "We are constantly looking into making our applications more secure, however you should ALWAYS think twice before plugging any device into an unsecure PC same as you wouldn't plug an unknown USB key into your device," a Facebook spokesperson said in a statement.

See also:

Topics: Social Enterprise, Apple, Mobile OS, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sure Am Glad...

    I sure am glad I don't have to root my phone to get all those features that require jail breaking an iPhone!
    • Nor do I jailbreak my iPhone for unlike you I don't need/want said:)

      So we are both good! Still the very thought that going rogue and leaving the terrible Walled Garden leads to an attack or possible attack is so very CLASSIC!!! I giggle at the thought.

      Pagan jim
      James Quinn
  • Doubtful

    If physical access is needed, why would jailbreaking make a difference?

    Something does not sound quite right here........
  • so when the cops jailbreak your phone to search it

    then they get your facebook account too. how convienient!
    sparkle farkle
  • Apps should use the keyChain!

    iOS comes with protected storage especially designed for passwords and other credentials. It's called the keyChain. When stored with the right attributes, the keyChain protects data using your iPhone/iPod/iPad PIN code. It is where iOS stored your E-mail and Wifi passwords. Plug in your device to any malicious USB port, and that data is still safe. Do make sure to use a PIN code longer than the standard 4 digits. On other iOS devices the 4 digits PIN code can be brute forced in 20 minutes (but the device needs to be booted in DFU mode first).

    The Facebook developers should read this: http://iphonedevelopertips.com/core-services/using-keychain-to-store-username-and-password.html
  • sgrege

  • Emm

    If the hacker manages to get a hold of a computer to which your iDevice is connected to, all they need is iFunbox to browse to the user application folder and grab the .plist file.

    iFunbox has built in hacks to access the app sanbox [b]without[/b] jailbreaking ;)