Facebook: Android, iOS security hole only for jailbroken devices

Facebook says the security vulnerability in Facebook for Android and Facebook for iOS that means your Facebook identity can be stolen only affects compromised or jailbroken devices.
Written by Emil Protalinski, Contributor

News broke today of a new security vulnerability discovered in Facebook for Android and Facebook for iOS that means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. U.K. app developer Gareth Wright, who discovered the issue, said it comes down to Facebook's native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbroken devices.

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device," a Facebook spokesperson said in a statement. "We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, 'unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses.' To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."

Something didn't add up for me when I first read this. Wright previously stated that "Facebook are aware and working on closing the hole" so why does Menlo Park's statement make it look as if this really isn't an issue? Facebook clarified this inconsistency by telling me it is looking into ways to mitigate this problem, but it won't be easy.

You might be scratching your head about the fact that these authentication tokens keys are stored in plain text. Facebook explains that encrypting them won't do much good because the key to decrypt them would also have to live on the device. Facebook could force you to enter your password every time you open the Facebook app, but everyone knows that's a pain (although Facebook.com will sometimes prompt you to enter your password again).

As for the USB connection scenario, Facebook says there's no way to fix this problem. Note that in this case it doesn't matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.

I wasn't worried about this part, because it's nothing new, and it certainly doesn't just apply to Facebook. After all, nobody can write software that will protect your data from a scenario where you give someone physical access to your computer or phone.

I pressed on to get this part confirmed. "We are constantly looking into making our applications more secure, however you should ALWAYS think twice before plugging any device into an unsecure PC same as you wouldn't plug an unknown USB key into your device," a Facebook spokesperson said in a statement.

See also:

Editorial standards