Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Unfortunately, I have to agree with TallManNY. Facebook app has been the buggiest app I have on my iPhone. Even though it recently got better, I am not surprised that their developer team turned out really lazy about security.
 
In other news..... people who don't have password protection on their phones have a high probability of data compromise when they lose their phone.


That's not entirely accurate. MOST of the files on the iPhone are still only encrypted with a key that is accessible to anyone with physical access to your phone. The *other* key you're thinking of (the one that goes with your passcode if you have one set) only currently encrypts emails, plus any files that an app developer WANTS encrypted. FB probably does not bother using that API. This is all still true as of iOS 5.1.

Therefore, until Apple gets around to encrypting ALL user files with the passcode and not just the accessible device key, you are vulnerable just by losing your phone.

And to those who would argue "just don't lose your phone": things like encryption are supposed to protect against the lost phone scenario. If physical access automatically gets around encryption, I fail to see the point of the encryption.
 
Doesn't Apple approve all apps before they are offered on the AppStore? I don't know what goes in to "approving" an app, but it seems like proper handling of authentication data should be one of them.
 
Apple engineers and even Geniuses in the retail stores will tell you (and rightfully) that Facebook is a poorly written application. Aside from the aforementioned issue, Facebook is a memory hog and one of the reasons for battery drain. Check your logs on your iPhone (Settings -> General -> About -> Diagnostics & Usage -> Diagnostics & Usage Data), you should find LowMemory and other logs related to Facebook. Closing the app in the multitasking bar should speed up your iOS device, especially for older devices, while cutting back on battery usage.

Apple has been on Facebook regarding this issue but to no avail. With Facebook's popularity they seem to have Apple by the nads.

Almost everything in that post is wrong.
The LowMemory warnings are a part of how iOS works and has nothing to do how well the app is written. iOS is designed to tell the app that the memory gets low and then the app has to free memory. The app is free to fill up memory with caches and stuff until it gets such a warning.

When the app is suspended, the memory consumption doesn't affect other apps. When other apps need the memory, suspended apps get killed. Suspended apps also don't get CPU time, either. Look it up.

And Apple doesn't "contact" developers if they think the apps are poorly programmed. Maybe that's something a Genius will say to calm down a customer, but it's not true. Imagine the outrage if Apple not only rejected unwanted apps, but those that simply use all the memory the device has or don't scroll fast enough.
 
I suggest adding a clause to that statement:

...or by using a cable that only has no data connection when charging your device with an untrusted source.

Does this apply if you have a passcode in place on your iOS device or can programs like IExplore still access your files even with a passcode on?
 
Unfortunately, I have to agree with TallManNY. Facebook app has been the buggiest app I have on my iPhone. Even though it recently got better, I am not surprised that their developer team turned out really lazy about security.

Facebook's programmers are terrible, but the program was far worse on Android.

Visualize a shrunken down mobile interface, but stretched to massive Desktop-size in scale (lots of white space), or a program hard-coded to use GPS, even if your device doesn't have one (it meant instant crash on many tablets or other non-phones, and would translate to the same if the iOS version did that on an iPod touch or non-3G iPad), or programming so sloppy, they don't have any exception handling (the program doesn't know how to handle errors, so just hard-crashes any time something goes wrong).

They recently fixed the "require GPS" issue on Android, but I don't think they fixed the other stuff.

I've deleted Facebook off my iPhone and re-downloading it FAR more than any other program. It's the only way to fix when it loads to a white screen, when it shows empty Contact list, etc. The program simply self-corrupts somehow.

I don't know how a company with so many billions can't seem to find any decent iOS or Android programmers.
 
r0pesl.jpg
 
Does this apply if you have a passcode in place on your iOS device or can programs like IExplore still access your files even with a passcode on?

If you have a passcode and your phone is currently locked, iExplorer cannot access your files.
 
Darn it!

I never thought about having public charging stations before. Now the idea is in my head and I want them! But they wouldn’t be safe.

(I bet someone will make an adapter that passes ONLY power through the dock connector, for just this kind of safety. Maybe those cables with a switch to toggle synch would do the trick already.)
 
I don't know how a company with so many billions can't seem to find any decent iOS or Android programmers.

Because they can't find decent programmers period? Or alternatively just don't care and allow their programmers to be lazy? Have you seen how buggy their webpage is?

Granted, maybe things have changed (I barely use FB anymore and I only keep it around to keep in contact with some college friends I don't really have much other contact with otherwise) but I would be surprised.
 
Unfortunately, I have to agree with TallManNY. Facebook app has been the buggiest app I have on my iPhone. Even though it recently got better, I am not surprised that their developer team turned out really lazy about security.

Good point. You'd think one of the most popular websites in the world would be able to afford a mobile development team to make a legitimate app. They've got like one guy on it who works on it during his lunch break.
 
Honestly it sounds like Android is much more vulnerable than iOS to this issue, as every Android phone is essentially jailbroken. iOS users would either have to tether or jailbreak to be affected, but Android users (and iOS jailbroken users) could be affected by rogue apps. Security issues like this are the main thing keeping me from jailbreaking my phone.

On Android every app runs with a different unix UID. If the Facebook app sets the correct permissions on its settings file, no other app can read it without exploiting the Android kernel first.

By default, Android does not allow access to its internal storage over USB. Only when USB debugging is enabled, a user runs the risk of this happening.

So out of the box, Android devices are better protected against this than iOS devices.
 
Facebook has never been serious about security, despite their efforts to make using their platform as annoying as possible.

However, I'm a little surprised by the sloppiness of DropBox with this. They have a great security record and are widely used in the enterprise market.

I'm not surprised we're getting excuses from Facebook but let's hope we get a quick fix from Dropbox.
 
If you have a passcode and your phone is currently locked, iExplorer cannot access your files.

Actually, media files are accessible. AND it doesn't matter what iExplorer can/can't see: The entire filesystem of an iPhone can be decrypted from a key that is findable ON the phone itself by someone who has physical access to your phone and can put it in DFU and compromise it. There are publically available tools for this. The ONLY files they won't be able to access if you have a decent passcode are your emails, email attachments, and any files that app developers have decided to encrypt via one of Apple's protection class options.

It's like this: There's a lock on your front door but the key is under the mat. Inside your house there's a small safe that contains just a few things but the REST of your stuff is sitting out on the kitchen table. If you have a passcode, the safe itself is locked. If you have a weak passcode, the safe is crackable. Strong passcode: not so much. But your other stuff is still on the kitchen table.
 
If you have a passcode, the safe itself is locked. If you have a weak passcode, the safe is crackable. Strong passcode: not so much. But your other stuff is still on the kitchen table.

This is exactly why apps should store credentials inside the safe (==KeyChain) and not put them on the kitchen table.
 
If someone has physical access to my Mac they can get quite a few passwords. What's the news here?
 
Almost everything in that post is wrong.
The LowMemory warnings are a part of how iOS works and has nothing to do how well the app is written. iOS is designed to tell the app that the memory gets low and then the app has to free memory. The app is free to fill up memory with caches and stuff until it gets such a warning.

When the app is suspended, the memory consumption doesn't affect other apps. When other apps need the memory, suspended apps get killed. Suspended apps also don't get CPU time, either. Look it up.

And Apple doesn't "contact" developers if they think the apps are poorly programmed. Maybe that's something a Genius will say to calm down a customer, but it's not true. Imagine the outrage if Apple not only rejected unwanted apps, but those that simply use all the memory the device has or don't scroll fast enough.

Sorry, this is extremely erroneous. I wish I could state otherwise. It's been a major contention between Apple and Facebook, corporate wise. Unless you are privy to information I am not. Facebook isn't a "developer" it's a company in the mindset of Apple and is thus governed by different laws than say the developer of "Angry Birds". Apple has a relationship with Facebook outside of the iOS market evident by the incorporation of Facebook into much of iLife/OS X. The low memory logs and leaks simply running the application are proof enough, if you believe otherwise well I do not know what else I can state. No offense meant. :)
 
Last edited by a moderator:
If someone has physical access to my Mac they can get quite a few passwords. What's the news here?

Do you ever plug a Firewire device you don't trust into your Mac? Or a USB device into your iPhone/iPod/iPad? That is the news here. Mobile charging stations are popping up everywhere, and it is not safe to plug an iOS device into them.
 
Go in the settings of your Facebook app and you might find some odd things, I did. When I looked at my last 10 sessions, two from April 1st came from some town in PA, I live in CA. Given this info plus how slow and buggy the FB app is, I may just delete it and never use it again.
 
Do you ever plug a Firewire device you don't trust into your Mac? Or a USB device into your iPhone/iPod/iPad? That is the news here. Mobile charging stations are popping up everywhere, and it is not safe to plug an iOS device into them.

Didn't they fix the firewire thing a back in the g5 days?

And if my phone is turned off (or battery is dead) then plugging it into a random charging station isn't going to do a thing.
 
Actually, media files are accessible. AND it doesn't matter what iExplorer can/can't see: The entire filesystem of an iPhone can be decrypted from a key that is findable ON the phone itself by someone who has physical access to your phone and can put it in DFU and compromise it. There are publically available tools for this. The ONLY files they won't be able to access if you have a decent passcode are your emails, email attachments, and any files that app developers have decided to encrypt via one of Apple's protection class options.

It's like this: There's a lock on your front door but the key is under the mat. Inside your house there's a small safe that contains just a few things but the REST of your stuff is sitting out on the kitchen table. If you have a passcode, the safe itself is locked. If you have a weak passcode, the safe is crackable. Strong passcode: not so much. But your other stuff is still on the kitchen table.

Sorry, I was commenting on the possibility of 'drive-by' data theft. A passcode is sufficient to prevent 'drive-by' data theft from plugging a phone into a public charging station or PC. Putting a phone into DFU mode isn't something someone would do while charging their phone I would hope.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.