Security Hole in Facebook Mobile App Invites Theft of Identity
GLOBAL – It is a common believe that not-jailbroken iOS devices are not vulnerable to serious attacks given the closed character of the operating system. This, however, is not the case, as some apps installed on the mobile devices are actually saving values in plain text plists instead of encoding them in keychain or saving them in the app’s binaries.
This may not seem dangerous at first side, but with a simple file explorer like iExplorer, it is actually possible to open and copy such file without any problem.
Those plists are also easily accessible from any shared PC or other device, connected to the smartphone or tablet. Adding to this the fact that apps using Facebook for their connectivity (like Draw Something) and the Facebook app itself are saving account access info in those plists, it is obvious that this is one quite easy accessible security hole in the Facebook iOS connectivity, which may potentially put to risk enormous amount of personal information of the users and their Facebook friends.
The worst aspect of this is that a similar problem seems to exist with Android apps, but there is still no solid proof on that, while after the testing of numerous not-jailbroken iOS devices, it has been confirmed that this problem is indeed available in the iOS Facebook connectivity. There is even a confirmation from Facebook that it is aware of the problem and working to fix it, but for the moment there is no solution or even notification possibility in the event of identity theft, made this way.