Is it time for Facebook to learn a security lesson from Apple?

Facebook and iPhone
The Apple iPhone and Facebook – both have been incredible phenomenons, capturing the imagination of millions of people and rewriting the rules when it comes to technology today.

Both have been extraordinarily successful, but when it comes to security it’s a whole different story.

Aside from a few attacks against jailbroken iPhones, there hasn’t been any malware problem to speak of on the Apple iPhone.

That’s fairly remarkable, if you consider what an attractive target that iPhone population must be to the cybercriminal underground – but the reason is because Apple is very strict about development of iPhone apps. If you don’t get approved by the App Store, the vast majority of iPhone users won’t be able to run your code.

And Apple’s developer approval process means that all code is reviewed before it’s place in the App Store – this doesn’t just stop yet-another fart app, it also reduces the opportunities for malicious hackers to spread dangerous code via this route. Whatever Apple is doing, it seems to be doing it right.

Not everyone may like Apple’s “walled garden” approach (and that has no doubt fuelled the jailbreaking industry) but you cannot deny that it has kept the Apple iPhone a relatively safe place to be.

Now, let’s look at Facebook.

Facebook doesn’t check the applications you write for its platform to see if they might be malicious.

That’s why it’s not unusual to see rogue applications (like the ones pictured below which are active today) spreading their spam and dangerous links across the social network.

Rogue Facebook applications

Facebook says that all it needs is for developers to verify their accounts by confirming their mobile phone number or credit card details, and after that you’re free to write whatever applications you like.

Create application

I wouldn’t imagine it’s very difficult for cybercriminals to get their hands on a credit card or a pay-as-you-go mobile phone number. And so there’s hardly any barrier at all before they start writing rogue apps that point to revenue-generating survey scams, steal personal information, direct users’ web browsers to malicious sites, or spam from your account.

It hasn’t always been this way. In November 2008, Facebook introduced an application verification program – inviting developers to pay $375 to have their apps checked out by Facebook, and given a special “badge”.

However, this verification system was optional, and the following year, Facebook killed the program off.

Every day I encounter new malicious apps on Facebook, that are happily spreading on the social network, compromising users’ profiles and driving people to distraction.

Maybe it’s time that Facebook put in place a compulsory verification system for apps? After all, it’s working well for the iPhone. And it seems other people agree..

Sophos poll about whether Facebook should verify apps

If you want to learn more about security threats on Facebook, don’t forget you can join the Sophos page on Facebook.