Facebook logins aren’t being properly protected on iPhones, iPads and Android devices

Facebook logins aren't being properly protected on iPhones, iPads and Android devices

iExplorerIt’s not really news to discover that developers who write games for Apple devices running iOS – namely the iPhone, iPad and iPod Touch – have tended to save user settings in plain, unencrypted text.

The idea of somebody tinkering with those text files is worrisome to those who fret about cheating in iPhone or iPad games, but few have worried about the seriousness of the data leaking out.

Until now that is.

Developer Gareth Wright recently found that, as he posted on Tuesday, “high scores should be the least of [users’] worries.”

Namely, the lack of encryption on both Facebook’s iOS and Android clients leaves them “languishing in a folder accessible to other apps or USB connections,” as The Register reports.

When poking around in application directories with the iExplorer tool (previously iPhone Explorer, a freeware program for the Mac and PC that lets you browse files on your iPhone or iPad like a flash drive), Wright found a plain text Facebook access token in the popular Draw Something game.

When Wright copied the hash and tried a few Facebook Query Language (FQL) queries, he found that he could pull back “pretty much any information” from his own Facebook account.

Facebook and smartphoneLooking into his Facebook application directory, Wright found cached images and the com.Facebook.plist (a .plist being the extension used for a property list file, often used to store a user’s settings).

He didn’t just find an access token – rather, he found the full authorisation credentials in plain text.

iOS games often store high scores in plaintext and rely on the OS for protection. But some also store Facebook-connection tokens in the same place.

While such tokens are only valid for 60 days, Facebook itself stores a similar token that lasts until 1 Jan 4001.

A hacker who copies that token onto another device can get into users’ Facebook accounts until the cows come home. Heck, if you wait until 4001, the cows will likely have mutated and evolved into space explorers.

Wright sent the plist over to his friend and blogger, Scoopz. Within minutes, he watched as his Facebook account was hijacked. Here’s how he tells it:

"After backing up his own plist and logging out of Facebook [Scoopz] copied mine over to his device and opened the Facebook app..."

"My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added."

"Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends."

"Even after restoring his own plist he still gets notifications for my games."

Game notifications on iOS. Image source: Gareth Wright

As The Register’s Bill Ray notes, all that’s needed to get somebody’s Facebook temporary login credentials are “a rogue application or two minutes with a USB connection.” The situation is exacerbated by Facebook’s liberal definition of “temporary” being “that which lasts until the year 4001.”

With iOS, you can even lift data from a backup, which would let a hacker get away with all sorts of Facebook hijinx.

Wright concocted five proofs of concept that netted him over 1,000 Facebook IDs. He deleted the data without copying it, no harm done, and gave Facebook a head’s-up about the matter.

It’s a similar story on Google’s Android platform – which is more open than Apple iOS, and relies upon the developer to make a sensible decision as to whether the sensitive data is stored safely or not.

Facebook is working on closing the hole. In the meantime, developers should do the same, Wright says:

"Unless app developers follow suit and start encrypting the 60-day access token Facebook supplies, it's only a matter of time before someone starts using the info for ill purpose... if they aren't already."

Wright’s proofs of concept include a modified speaker dock, a game-editing tool with a bit of added code, and a piece of hardware the size of a credit card that can copy a device’s plist in a matter of seconds.

Given that the vulnerability can be exploited with hardware and physical access, Wright says he’ll be thinking twice about plugging his devices into shared PCs, public music docks or charging stations.

Sounds like good advice for the rest of us.