A security hole recently discovered in Facebook’s iOS and Android apps has now been found in Dropbox’s iOS app as well. The flaw allows anyone with physical access to your phone to copy your login credentials — because, get this, both companies store your login information in unencrypted text files.
Yes, folks, it’s 2012 and some major developers are still overlooking simple logon security. The news shocks me even more than apps like Path stealing address book data, because it shows that even big companies — which we trust increasing amounts of our personal data to — can still have trouble with security basics.
The hole was first discovered by security researcher Gareth Wright, which led to a quick response from Facebook that claimed the flaw only affects jailbroken (or purposefully hacked) devices. But The Next Web discovered this morning through its own testing that non-jailbroken devices are also affected and that the flaw could be exploited when plugging your device into a public computer.
“The long and short of it is that regular, non-jailbroken devices are vulnerable to this because it is a flaw in the way that Facebook stores that .plist file containing your information,” The Next Web’s Matthew Panzarino writes. The site also reports that Dropbox’s iOS app (but not its Android app) has a similar security flaw.
As Wright says, it’s anyone’s guess why Facebook isn’t using the iOS keychain or other encryption methods to properly manage its login credentials. Both Facebook and Dropbox are aware of the issue and are updating their apps.
“It’s hard to speculate, but we do know that fully securing application data on a device that is physically exposed to an attacker is extremely challenging to do,” Tim Wyatt, Principal Engineer at Lookout Mobile Security told VentureBeat in an e-mail. “Best practice is to make use of APIs such as Android’s AccountManager or the iPhone Keychain to ensure that sensitive data such as access tokens or other user credentials are stored centrally in the most secure manner possible.”
Update: The Next Web has updated its initial post to confirm that the security risk doesn’t exist if you’ve password-protected your iPhone.