On April 3, Garth Wright reported his discovery of a Facebook security loophole on his iPhone. The security problem centers on the .plist file used by apps to store settings. Grath Wright discovered that the iPhone Facebook app not only stores the Facebook token (used by apps to access your Facebook account) in the .plist file, but also stores the OAuth key and secret key in plain text. Simply copying the .plist file to another phone, allowed the second phone to access his Facebook account. To make matters worse, the key was set to expire in the year 4001. This is a serious programming error on the part of Facebook, as there is a secure method for storing these keys.
On April 6, Tuaw reported that the same programming error existed in iOS apps for Dropbox, and LinkedIn. Moreover, the same error existed in the Android apps for Facebook, and LinkedIn, but not Dropbox. Comments show that Tumblr and Vimeo had the same problem. The security network was now in full swing on checking apps for unencrypted access information in the .plist file. Scoopz reported that the same information could be retrieved from the iOS backup files.
The initial response from Facebook was that this only effected “jail broken” iPhones, or rooted Android devices. In his article, Garth Wright provided a proof-of-concept showing that this is not true. While he initially discovered the problem using iExplorer, the same files could be found by tethering the device to a PC, while charging the phone. My tests show that the same information is available through Bluetooth or Wi-Fi tethering. Since the iPhone does not have an SD card, this issue was never mentioned in the reports. For Android devices, some apps install to the SD card, which extends the security loophole to simply putting the SD card into a PC.
For most phone users, there is an illusion of security. The average user only sees the graphical interface, and sees only a limited view of the underlying file system. When you give an app permission to access your Facebook account, the app stores the information that it retrieves from Facebook. The more permission granted to the app, the more information stored by the app. If an unauthorized person gets access to your phone they can steal your identity, without your knowledge.
The good news is that this is not an easy security hole to exploit. Furthermore, protecting your phone from unauthorized exploit is not hard. Steps 4, 5, and 6 in the article “Protecting your personal data when you lose your cellphone in Costa Rica” describes the basic steps that you should take. In addition, you should do the following:
- When you are not using Bluetooth, you should disable it. You should not enable the Bluetooth setting for “Discoverable.” Normally, the Android device pairs to a remote device, such as a headset, or keyboard. In this scenario, your mobile devices discovers the remote device. The only time you need to make your mobile device “Discoverable,” is when you are pairing to another mobile device or PC. When your mobile device is “Discoverable,” you are advertising your mobile device to every Bluetooth device searching for a connection.
- When using W-Fi Tethering, use an application such as AirDroid, or WiFi File Transfer. With WiFi File Transfer, you should enable the password setting.
- When your phone battery is running low, be careful about using a stranger’s PC to charge your phone via the USB cable. During the time your phone is charging, your data is accessible from the PC.
- Avoid storing apps that require password authentication on the SD card. Be especially aware of apps that connect to Facebook, as there are still apps that incorrectly store Facebook tokens in the .plist file.
- If you are using an app to backup the data on your phone, you should make sure that the backup file is encrypted.
- Should someone steal your phone, immediately take the actions mentioned in “Recovering Lost Mobile Devices in Costa Rica” to secure the phone, and see if you can find the phone. If you cannot recover your phone, then you need to report the stolen phone, according to the instructions in “Reporting Stolen Phones in Costa Rica: SUTEL Blacklist.” Black listing a phone does not protect against identity theft. Black listing only makes the phone non-useable, by another party. Only you can prevent identity theft.
Since the .plist security hole was first reported, there has been a flurry of updates for social networking applications. The one exception is the Facebook app. So far, Facebook does not see this as a serious threat. This does not mean that you need to stop using the Facebook app. By following the steps outlined in this article, you can protect your phone from identity theft.