A security flaw that exposes iOS and possibly Android smartphone users to identity theft has been discovered in mobile apps for Facebook, Dropbox, and LinkedIn. Smartphone owners would be well served to take extra precautions to protect their devices, as the flaw may well be present in other mobile applications as well.
The flaw exposes users to identity theft by saving user authentication keys in easily accessible, unencrypted plain text files, or .plists. By stealing those files and transferring them to another device — regardless of whether the device is jailbroken — a cyber thief could access the victim’s associated accounts without having to enter any log-in credentials.
Security researcher Gareth Wright reported discovering the flaw in the mobile Facebook application for iOS late last week. Wright sent his Facebook .plist to an associate — Scoopz blooger Neil Cooper — who copied the file onto his own device, opened up the Facebook app, and had immediate, full access to Wright’s Facebook account.
According to Wright, Facebook is working on closing the hole, “but unless app developers follow suit and start encrypting the 60-day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose — if they aren’t already.”
Wright did not test the Android version of the application for the flaw. He did write, however, that “given the programming oversight in the iOS app, it stands to reason the issue will translate to other platforms.”
Since Wright published his findings, The Next Web found that the iOS app for Dropbox also has the flaw, as does the LinkedIn app for iOS, according to Scoopz. The flaw is present in various iOS mobile games, too, according to Wright, which players can exploit to cheat.
Given that the flaw is present in apps for Facebook, Dropbox, LinkedIn, and various games, it’s entirely like it affects other mobile apps — which means it’s up to developers to double-check how their wares handle profile information.
According to Wright, the biggest risk a user faces is that of malware designed to slurp data from devices plugged into PCs, e.g. for charging. Wright offered the following advice for protecting your smartphone. First, set a complex password, not a simple four-digit PIN, for your device. Second, turn on your device’s Find My iPhone function. Third, if you plug your device into a shared computer to charge it, don’t unlock the device until you disconnect it.