Facebook does many things very well, but most would agree that they are not particularly adept at managing their users’ privacy or security.
A recent example hit me the other day while browsing the Facebook iOS SDK integration docs. Facebook suggest that SDK developers store the Facebook access token that grants a client (e.g. an iPhone app) access to the Facebook platform in the iOS user defaults. This is not secure and could result in someone else masquerading as the user on Facebook or hijacked the user’s identity.
What is a Facebook access token?
A Facebook access token allows a 3rd party app to interact with Facebook on behalf of a particular user. Depending on what permissions the user granted to the app, the holder of the Facebook access token can do anything from posting to a friend’s wall, to accessing all the user’s personal information. It is important, therefore, that this access token is only ever accessible by the app in question.
What are iOS user defaults?
As any iOS developer knows, this is where an app can store a user’s preferences and any other information that might help the app to understand a user better across app sessions. These defaults might store things like a user’s ID, a preferred colour scheme, or the user’s first name, among other things.
User defaults, however, are not secure. Data stored in the defaults is stored in plain text, and while iOS apps cannot access the defaults of another app, anyone who had access to your phone, or a backup of your phone, could easily extract the Facebook access token and use it to masquerade as you. Not a good scenario.
Facebook makes the suggestion in the “Implementing SSO” section of their iOS tutorial. The offending bits:
The right place to store secure data on iOS devices is in the keychain.