• 
• 

 1 of 2

Gallery

Poking into Facebook security

Posted on 4 Feb 2010 at 11:32

Davey Winder wonders if it's time Facebook adopted Apple's approval process for apps

Hacked Facebook apps are being used by Russian cybercrime gangs to peddle rogue antivirus software, part of an ever-increasing trend towards scareware-based schemes for raking in the cash. It should be noted that the applications’ developers are victims here too, leaving aside the fact that they left the loopholes that let the bad guys inject code.

These Facebook applications are web-hosted: when you add an app, you’re using Facebook’s servers to link to a third-party site hosting that app. What’s been happening is that the app has an extra iframe injected, which shows you a fake licensing frame, and when you accept the terms it points you to a Russian scam site that displays those “your site is infected” pop-ups – complete with a “click here to protect your computer” link.

At the time of writing, AVG has found eight such compromised applications, and you can view the complete list at the Thompson site. My advice, though, is don’t use Facebook applications – full stop.

Although this latest scare isn’t a matter of deliberately malicious applications, but rather a vulnerability being exploited in innocent apps, I can’t help but wonder whether an Apple-like approval process might not be a more secure route for Facebook to take. Despite there being more than 70,000 different iPhone apps available, and iPhone users having downloaded them more than 2 billion times, I don’t recall reading many security scare stories relating to iPhone apps.

I can’t help but wonder whether an Apple-like approval process might not be a more secure route for Facebook to take

In fact, I’ve not been made aware of a single one (if you discount pirated and hacked apps for jailbroken iPhones), and that’s pretty remarkable considering the tempting herd of newbies that the iPhone exposes to the bad guys. I suspect the reason is that Apple locks down iPhone app development pretty tightly, or to be more precise it locks down iPhone app distribution pretty tightly, courtesy of the App Store approval process.

All applications have to be signed by their developer and all are reviewed before being approved for distribution – the depth of that review isn’t revealed by Apple, but given that there have been no exploits of these apps so far, I imagine that some degree of server-side checking must take place for web-enabled applications. The majority of iPhone apps are “code static”, and so the Facebook iframe injection exploit doesn’t work with them.

At this point I should declare that I’m not an iPhone app developer and am more than happy to hear (in confidence, off the record, nudge nudge wink wink, by email) from any readers who are and who feel like sharing. However, my point is that whatever Apple is doing, and whatever Apple iPhone app developers are doing, it seems to be working.

The other point is that some checking is better than no checking, and to allow applications to be released to the public with no vetting at all is pretty dangerous when you’re dealing with social networks that have a ready-made audience ripe for exploitation. At the very least I’d like to see Facebook application developers required to disclose their identity and sign a contractually binding agreement in order to become an authorised developer.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site