There’s panic about a security hole in Facebook’s iOS and Android apps that surfaced this week, but the threat of identity theft is being blown out of proportion. You only need to worry if your phone is actually stolen, and even then a hacker would need it to be jailbroken, use tools like iExplore, or they’d have to take the device apart. Once a hacker has full physical access to your phone, you have a lot more than Facebook to worry about, as the thief could steal your contacts, cookies, and access all your apps if the phone was unlocked.
Really, this security hole highlights the new dangers of having your phone stolen. Owners should make sure they have a remote wipe solution ready to nuke all their data or else things could get ugly quick.
So here’s what happened. Developer Gareth Wright published a blog post this week stating that there’s some ways for hackers to read the .plist file of a user’s Facebook for iOS or Android app that contains the app’s access token, full oAuth key and secret. With that a hacker could log into your Facebook account and act as you, as well as log into third-party apps that rely on Facebook’s identity platform.
However, experts tell me that details of the post were inaccurate or misleading, namely because Wright didn’t specify that he was using jailbroken devices. The .plist can only be accessed by the Facebook app itself, and not by someone else unless a phone is jailbroken or rooted, or if the flash memory is physically unsoldered from the device. Sure, jailbreaking gives you deep access to your mobile’s hardware as well as the ability to install blackmarket apps, but it also disables critical security measures. Also, if someone has full physical access to your phone, tools like iExplore and others can help them surmount most any security feature.
Facebook has released the following statement on the issue:
“Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, “unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.” To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.”
This is one of those largely theoretical security flaws that makes headlines occasionally. Yes, watch out for plugging your jailbroken phone into a stranger’s stereo dock or USB cable, but really, don’t lose your phone and then not wipe it. Protect yourself by setting up remote wipe through Find My Phone for iOS or Exchange for Android. Then if you get off the train or stumble home from a drunken night to find your phone missing, wipe it first, and cry/search/buy a new one later.