Facebook: iOS-based credential theft only works on lost or jailbroken devices (Updated)

[ShyWriter]

.

Facebook: iOS-based credential theft only works on lost or jailbroken devices (Updated)

By Dan Goodin | Published a day ago

Photograph by s0.geograph.org.uk

Are the Facebook apps for iOS and Android susceptible to exploits that allow attackers to steal credentials used to log in to the social networking site? Facebook has largely discounted a recent report claiming as much, stating that such an exploit only works when users have modified their operating systems or granted an attacker physical access to their devices.

The attack was first proposed by app developer Gareth Wright, who discovered that a Facebook configuration file kept on iPhones and other Apple devices stored the cryptographic tokens that apps use to authenticate themselves. He later told The Register that Android devices probably suffered from a similar weakness that also stemmed from the failure to cryptographically secure the token.

On Thursday, however, Facebook said the exploit can't be carried out unless users jailbreak or mod their devices or an attacker physically connects to the phone.

"Facebook's iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device," a Facebook spokesperson told Ars.

"We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device."

iOS uses a protective sandbox to prevent applications from accessing .plist files and sensitive data used by other apps. Google's Android uses a file-permissions system that restricts each app to its own file directory, according to Accuvant principal research consultant Charlie Miller. As long as the mobile OSes haven't been modified, those protections should remain intact and prevent attackers from accessing the tokens on the device.

Wright confirmed to Ars that his attack would work only if someone uses a jailbroken version of iOS or an adversary is able to plug the targeted device into hardware that is able to siphon the iDevice's Facebook .plist (property list file) that is readily available in storage.

"An iOS device only has to be plugged into a PC or Mac for a couple of seconds to have its plists copied," Wright wrote in an e-mail. "Jailbroken or not, they're equally vulnerable."

He devised a proof of concept attack that used a background app running on a shared PC that captured the login credentials of any iOS device that connected to it. The scenario, he said, is "something that happens a lot at universities and workplaces as users charge their devices." He envisioned a determined attacker using a speaker dock or other piece of hardware that could use modified firmware to do much the same thing.

Update: On Friday, almost 24 hours after Ars published this report, Wright amended his post to say that the attack won't work on non-jailbroken Apple devices that are passcode-protected.

"They are safe when they connect to a PC or Mac that the user has never synced to before as long as a user doesn't unlock the device while still connected," he further explained in an email. "An unlocked device connected over USB is still affected."

SOURCE: http://arstechnica.c...d=related_right

Steve