Over the weekend a security researcher by the name of Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running iOS and possibly Android. The hack which allows a user to copy a plain text file onto another device is said to be a major mistake most developers do rather than encode add to keychain or save values in the binaries, they choose to save those values in plain text plists according to Wright.
Facebook’s Android and iOS apps do not encrypt login credentials, instead storing them in plain text files and allowing the information to be easily accessed and transferred over a USB connection, or more likely, through a malicious app.
The Next Web decided to do some testing of their own and had this to say:
The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability. Updated with statement from Dropbox below.
As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.
Facebook has responded, sending out the following statement:
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
At first glance, the statement appears to indicate that you’re only vulnerable to this kind of profile theft if you jailbreak your device. We have confirmed that this is completely untrue. Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak.