Is it time for Facebook to learn a security lesson from Apple?

Filed Under: Apple, Data loss, Facebook, Law & order, Malware, Rogue applications, Social networks, Spam

Facebook and iPhone
The Apple iPhone and Facebook - both have been incredible phenomenons, capturing the imagination of millions of people and rewriting the rules when it comes to technology today.

Both have been extraordinarily successful, but when it comes to security it's a whole different story.

Aside from a few attacks against jailbroken iPhones, there hasn't been any malware problem to speak of on the Apple iPhone.

That's fairly remarkable, if you consider what an attractive target that iPhone population must be to the cybercriminal underground - but the reason is because Apple is very strict about development of iPhone apps. If you don't get approved by the App Store, the vast majority of iPhone users won't be able to run your code.

And Apple's developer approval process means that all code is reviewed before it's place in the App Store - this doesn't just stop yet-another fart app, it also reduces the opportunities for malicious hackers to spread dangerous code via this route. Whatever Apple is doing, it seems to be doing it right.

Not everyone may like Apple's "walled garden" approach (and that has no doubt fuelled the jailbreaking industry) but you cannot deny that it has kept the Apple iPhone a relatively safe place to be.

Now, let's look at Facebook.

Facebook doesn't check the applications you write for its platform to see if they might be malicious.

That's why it's not unusual to see rogue applications (like the ones pictured below which are active today) spreading their spam and dangerous links across the social network.

Rogue Facebook applications

Facebook says that all it needs is for developers to verify their accounts by confirming their mobile phone number or credit card details, and after that you're free to write whatever applications you like.

Create application

I wouldn't imagine it's very difficult for cybercriminals to get their hands on a credit card or a pay-as-you-go mobile phone number. And so there's hardly any barrier at all before they start writing rogue apps that point to revenue-generating survey scams, steal personal information, direct users' web browsers to malicious sites, or spam from your account.

It hasn't always been this way. In November 2008, Facebook introduced an application verification program - inviting developers to pay $375 to have their apps checked out by Facebook, and given a special "badge".

However, this verification system was optional, and the following year, Facebook killed the program off.

Every day I encounter new malicious apps on Facebook, that are happily spreading on the social network, compromising users' profiles and driving people to distraction.

Maybe it's time that Facebook put in place a compulsory verification system for apps? After all, it's working well for the iPhone. And it seems other people agree..

Sophos poll about whether Facebook should verify apps

If you want to learn more about security threats on Facebook, don't forget you can join the Sophos page on Facebook.


You might like

4 Responses to Is it time for Facebook to learn a security lesson from Apple?

  1. Dr. Kerner · 1721 days ago

    I think Facebook users are typically dull individuals that don't care for anything. Iphone users have a high ego and like to show off but basically no knowledge.
    Both of them are typically endangered by all kind of tricks.
    The best is to put the Facebook and the Iphone users themself in kindergarden to waste time on uselsess services in a safe environment.

  2. Mayank · 1687 days ago

    Facebook should definitely implement an app-screening process, as more than 90 % of it's apps are crappy and spam my news feed : Ive blocked most of them but everyday a new one crops up.

  3. phil · 1676 days ago


    That may be your opinion and you are certainly entitled to it. I doubt that 90% of the apps are 'crappy' or 'spammy', but instead think that you have a bunch of idiots for friends that are unaware of the consequences when they grant the couple of bs apps publish stream permissions. Requiring a steep setup fee definitely limits the creativity of the apps, and increases costs passed on to the consumers. Is that $375 per app, or $375 per developer? I can almost guarantee that if Facebook would implement that, or a similar process, apps would no longer for the most part be available to at least try for free. And because of the very nature of facebook apps, it wouldn't stop the spam from spreading either, because facebook apps are served from an external server.

    What would stop alot of the bs apps and spam is simple user education. They spread because they are able to tap into a network of morons, who enable it to spread out of shear stupidity (or too lazy to read what they are agreeing to when they hit the continue button). If you are getting flooded with bs apps like this, take the 2 minutes and try to educate the real culprit behind it, YOUR FRIEND, so they will stop reposting the garbage, or just defriend the idiot posting it...

  4. Amy · 1472 days ago

    I agree with you. I do not add people i do not know personally, and the friends a i have that are gullable to the apps and "copying and pasting" dumb chain letters i have hidden from my news feed (LOL)
    i have to point out that your first paragraph is wrong. i believe you misread the story.
    it says facebook IS the one that paid 375$ for the app approval, not apple.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley