Facebook Mobile SDK Vulnerability

metaintell.pngLast week I came across a post by MetaIntell regarding a Facebook SDK vulnerability under iOS and Android "affecting billions of installations". I have used the Facebook SDK in multiple Android apps so dug deeper.

There’s more information on the MetaIntell blog. On iOS, the Facebook SDK is storing access tokens in the app’s .plist and this can be examined by someone who has physical access to the device. I have tried this and it’s possible. However there’s no explanation for Android which stores tokens in the Android sandbox which isn’t accessible to connected desktops unless the device has been rooted. MetaIntell told me it’s a bit more difficult on Android. You need to put the device in backup mode and then backup and restore the token from backup. I am still waiting to hear never heard back from MetaIntell how this is possible. They seem shy on giving more details. If it’s true then any sandboxed information such as databases, files and other settings (SharedPreferences), for any app, would also be accessible.

So, for now it seems it’s a problem on iOS and almost certainly much less of a problem on Android. However, on both platforms this vulnerability requires physical access to the device so while it might affect "billions of installations" it can only affect those users that have ‘lost’ their device. Hence, it’s of low concern given it’s not (yet) a vulnerability that can be taken advantage of from other apps (malware) on the device.