Chance of Rain
Weather for San José:
High 31° / Low 18°
Chance of Rain
Click here for six-day forecast for 16 communities across Costa Rica!
Banco BAC
Banco BCR
Banco Nacional
Banco Popular
Banco Scotiabank

Illusion of Security on iOS and Android mobile devices

Share this article

iPhone 4s Costa RicaOn April 3, Garth Wright reported his discovery of a Facebook security loophole on his iPhone. The security problem centers on the .plist file used by apps to store settings. Grath Wright discovered that the iPhone Facebook app not only stores the Facebook token (used by apps to access your Facebook account) in the .plist file, but also stores the OAuth key and secret key in plain text. Simply copying the .plist file to another phone, allowed the second phone to access his Facebook account. To make matters worse, the key was set to expire in the year 4001. This is a serious programming error on the part of Facebook, as there is a secure method for storing these keys.

On April 6, Tuaw reported that the same programming error existed in iOS apps for Dropbox, and LinkedIn. Moreover, the same error existed in the Android apps for Facebook, and LinkedIn, but not Dropbox. Comments show that Tumblr and Vimeo had the same problem. The security network was now in full swing on checking apps for unencrypted access information in the .plist file. Scoopz reported that the same information could be retrieved from the iOS backup files.

The initial response from Facebook was that this only effected “jail broken” iPhones, or rooted Android devices. In his article, Garth Wright provided a proof-of-concept showing that this is not true. While he initially discovered the problem using iExplorer, the same files could be found by tethering the device to a PC, while charging the phone. My tests show that the same information is available through Bluetooth or Wi-Fi tethering. Since the iPhone does not have an SD card, this issue was never mentioned in the reports. For Android devices, some apps install to the SD card, which extends the security loophole to simply putting the SD card into a PC.

For most phone users, there is an illusion of security. The average user only sees the graphical interface, and sees only a limited view of the underlying file system. When you give an app permission to access your Facebook account, the app stores the information that it retrieves from Facebook. The more permission granted to the app, the more information stored by the app. If an unauthorized person gets access to your phone they can steal your identity, without your knowledge.

The good news is that this is not an easy security hole to exploit. Furthermore, protecting your phone from unauthorized exploit is not hard. Steps 4, 5, and 6 in the article “Protecting your personal data when you lose your cellphone in Costa Rica” describes the basic steps that you should take. In addition, you should do the following:

  • When you are not using Bluetooth, you should disable it. You should not enable the Bluetooth setting for “Discoverable.” Normally, the Android device pairs to a remote device, such as a headset, or keyboard. In this scenario, your mobile devices discovers the remote device. The only time you need to make your mobile device “Discoverable,” is when you are pairing to another mobile device or PC. When your mobile device is “Discoverable,” you are advertising your mobile device to every Bluetooth device searching for a connection.
  • When using W-Fi Tethering, use an application such as AirDroid, or WiFi File Transfer. With WiFi File Transfer, you should enable the password setting.
  • When your phone battery is running low, be careful about using a stranger’s PC to charge your phone via the USB cable. During the time your phone is charging, your data is accessible from the PC.
  • Avoid storing apps that require password authentication on the SD card. Be especially aware of apps that connect to Facebook, as there are still apps that incorrectly store Facebook tokens in the .plist file.
  • If you are using an app to backup the data on your phone, you should make sure that the backup file is encrypted.
  • Should someone steal your phone, immediately take the actions mentioned in “Recovering Lost Mobile Devices in Costa Rica” to secure the phone, and see if you can find the phone. If you cannot recover your phone, then you need to report the stolen phone, according to the instructions in “Reporting Stolen Phones in Costa Rica: SUTEL Blacklist.” Black listing a phone does not protect against identity theft. Black listing only makes the phone non-useable, by another party. Only you can prevent identity theft.

Since the .plist security hole was first reported, there has been a flurry of updates for social networking applications. The one exception is the Facebook app. So far, Facebook does not see this as a serious threat. This does not mean that you need to stop using the Facebook app. By following the steps outlined in this article, you can protect your phone from identity theft.

Print Friendly

Related Articles

Pokemon Fail: Japan Asks Tourists Not to Play at Sacred Shrines

Just a day after the much awaited release of the latest smartphone game ‘Pokemon Go‘ in [...]

U.S. Arrests Owner of Torrent Website Hosted in Costa Rica

CHICAGO — Federal authorities in Chicago have charged the alleged owner of today’s most-visited illegal [...]

Costa Rica Earns Second Place in Food Technology Competition

CHICAGO – 20 July 2016 – Tate & Lyle, a leading global provider of food ingredients and solutions, [...]

Pokemon GO and Online Porn in Costa Rica

Costa Rica is so enthralled with Pokemon GO, the latest mobile app by Nintendo and Niantic, that [...]

New Global eSports Platform Launched from Costa Rica

July 15, 2016 Costa Rica – Breakout Gaming, the online gaming entertainment company offering poker, [...]

U.S. and Canadian Expats Operated Scam VoIP Center in Costa Rica

Two U.S. citizens and a Canadian citizen have pleaded guilty for their roles in a $9 million “sweepstakes [...]

New Mobile App for Booking Ocean Charters in Costa Rica

EZ Waves, an online charter booking service for fishing, sailing, kayaking and all other water-based [...]

This is How Technology is Making Us Lonely

Bolivian writer Oswaldo Calatayud, the winner of his country’s 17th National Novel Prize for his [...]