If you are one of millions who have downloaded the Android or iOS Facebook app to your smartphone or tablet, you may not "Like" this blog post. The privacy of your personal information—or that of your company—may be at stake. According to Gareth Wright, a mobile application developer, hackers can access the .plist file of your Facebook application with relative ease.
With access to this file, the hacker can obtain the app's access token, full oAuth key and secret. With these items, a user's account could be hijacked and his or her identity effectively stolen. As you can imagine, news of this potential threat circulated the web relatively quickly which prompted experts to shine more light on the topic.
Josh Constine of TechCrunch says not so fast. In a recent post, Constine pointed out the vulnerability only applies to jailbroken or rooted devices. Good news for some of you, but not all. Especially those of you who use your phone or tablet both at work and out of the office.
Is Jailbreaking the Root of the Problem?
Jailbreaking refers to the process of modifying Apple iPhone or iPad software (iOS), and is typically performed as a means to avoid limitations to device functionality. Users can then access third-party applications that would otherwise be unauthorized to run on their device. As for Android devices, they may be less restricted than Apple devices, but they can be rooted in order to rid custom interfaces or to gain more control over the device.
Jailbreaking and rooting are controversial practices, and will void the warranty of most devices. As the recent Facebook vulnerability revealed, jailbreaking can remove some of the key security protections that come standard on a mobile device.
MDM, Remote Wipe, Problem Solved
When rooted or jailbroken devices gain access to the corporate network, they automatically pose security risks. IT professionals in the enterprise would be well-advised to guard against the hazards that come along with these penetrable gadgets. Many security professionals have answered the call by working jailbroken and rooted devices into their mobile device management (MDM) policy.
However, as Constine pointed out, lost or stolen devices make matters more complicated. Any hacker worth their salt can root or jailbreak a device that falls into their possession. For this reason, it's important to consider remote wipe solutions, which allow IT departments or individual users to remove sensitive data from a mobile device that is lost or stolen. If it falls into the wrong hands, cost of replacement and restoration should be the only concern.
With the above considered, the threat of the Facebook app is not as scary as it may have first seemed. Much like the other threats brought about by the mobile digital age, it is one that can be mitigated by common sense best practices and smart security solutions.
So for all you employees out there, do you have a jailbroken or rooted device? If so, what measures will you take heading forward to ensure your personal/company information remains out of hackers' hands? Tech admins, what are you doing to prevent infiltration of private corporate information?