Facebook android security fail

By: on February 5, 2014

I wrote about the Ocado android applications ridiculous privileges ¬†list a while back. Facebook has reminded me of it:¬†Facebook app now reads your smartphone’s text messages? THE TRUTH.

Facebook want to be able to capture the two factor auth message straight from your text messages, so they ask for access to all your text messages.

What should happen, is that there’s a two factor auth agent app, which has access to your text messages. Other apps register with it – specifying that they wish to receive text messages from a particular sender. When they do this, the agent asks the user if that’s allowed. That’s better, because the agent is a small and simple app, and if lots of apps share it, we can spend more on it, further cutting down on faults.

Because this app doesn’t exist yet, someone trusted needs to write it. Facebook could write it but why would they do that? most users user’s wouldn’t understand the difference. Lot’s of people argue that the someone trusted should be Google, and the agent should be part of Android.

I think this is a great opportunity for a security brand to build it’s reputation: it can create a suite of applications like this, and then offer to endorse apps which use them, and follow a set of guidelines.

This could be implemented with something as simple as a trademark on the apps page, but it’s preferable that endorsements are cryptographically signed certificates, and android displays endorsements before installation. App developers would pay for the endorsement – either by paying for the review, or by a share of revenue.

This is a much more positive role for a security brand than offering virus checking, since it will significantly reduce zero day exploits, by increasing software quality. It’s also the only way open, since Google aren’t allowing third parties to block app installation. Building a brand seems to be something the industry knows how to do, we should harness that to improve software quality.

I need to add a couple of things to this. One is an oversight, and the other came to my attention just after writing the above:

The Google+ app recently asked to read your text messages – it incorporates them into the user interface. I don’t know if Google are slurping text messages as a result, but the security implications are exactly the same.

Facebook have released a library designed to help app developers safeguard users data on Android devices using cryptography. I haven’t looked at it to asses it’s efficacy, but as I’ve noted here before, Android doesn’t provide access to the phones hardware key storage mechanisms on any phone I’m aware of, so it’s not obviously possible for this library to be effective.



Comments are closed