Props go out to Gareth Wright for discovering a security breach in Facebook’s mobile apps for iPhone and Android. The problem stems from the fact that Facebook has not been encrypting user login credentials.
This means that a rogue app or unauthorized USB connection can grant others access to your personal information. Facebook issued the following statement:Facebook’s iOS and Android applications are only intended for use with the manufacturer-provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android), or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment, and security, all of which is compromised on a jailbroken device. As Apple states, “Unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.” To protect themselves, we recommend that all users abstain from modifying their mobile OS to prevent any application instability or security issues.
While it certainly is convenient for Facebook to claim that only jail-broken phones are at risk, Next Web has proven this statement to be untrue. Any smartphone, even ones protected with a passcode, are at risk.
So what does this mean for you? In the immortal words of Douglas Adams, “Don’t Panic!” The vulnerability still relies on a physical link to your phone. Until Facebook makes the necessary adjustments, avoid connecting your phone to public charging stations or computers.