Facebook, Dropbox Apps Have Serious Security Flaw That Puts Your Personal Data At Risk

Posted: April 6, 2012 in Analysis

A security researcher has discovered a serious flaw with the Facebook and Dropbox apps for both Android and iOS that puts all of your sensitive personal data at risk.

Anyone with access to your device can use a free piece of software that’s easily available on the internet to retrieve an unencrypted, plain text file from your device that provides access to your entire account — without requiring a jailbreak.

Gareth Wright detailed the issue in a post on his blog on April 3. It was initially focused on the Facebook app, but The Next Web reports that the flaw is also present in the Dropbox app.

Facebook has since issued a statement to deny there’s any issue on stock devices:

Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.

But Facebook is wrong. With a free application called iExplore, users can access all sorts of files on their device without jailbreaking it first. This allows the .plist containing all of your personal data to be extracted. It’s in plain text and it’s not encrypted or secured in any way, so anyone can open it.

Facebook is correct, however, when it says that a “malicious actor” must obtain physical access to your device first. So there’s no need to worry about your data being stolen while you have possession of your handset. But if it’s lost or stolen, then there’s cause for concern.

The issue is not with Android or iOS themselves; it’s with these apps that choose not to encrypt your data. So it’s up to Facebook and Dropbox to fix the issue. There could be others out there, too, but these are the only two so far that have been found to feature this vulnerability.

Keep your eyes peeled for those updates.

sourse: cultofandroid.com


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s