Facebook Application Security: Learn About Potential Issues and Breaches, Get Tips for Improving Facebook Security
Since its launch in 2004, Facebook has become the world’s leading social networking site, with 901 million active users and over 9 million applications integrated with its platform.1 Unfortunately, this explosion in popularity has also increased the security threats facing users. Staying secure on Facebook is dependent on both users and developers. Users need to be educated on current Facebook security issues so that they can recognize and avoid malicious content. Facebook application developers have to take measures when writing apps to ensure that users’ remain protected from things like data theft and malware.
Facebook Security Tips for Users
When it comes to the application level, there are several measures users can take to reduce Facebook security issues. For starters, users should regularly review and maintain the apps they have installed on their accounts. This can be done by clicking “Edit Settings” for Ads, Apps, & Websites on the Privacy Settings page. As a general rule of thumb, users should delete apps they no longer use or use infrequently, as these apps could still pose a threat to Facebook security. Additionally, users should delete any apps they don’t recognize and apps that don’t run correctly, as these are telltale signs of fake apps.2 The Privacy Settings page for Apps, Games, and Websites also allows users to specify how their information is shared with apps, searches, ads, and other sites. Generally speaking, the less information a user shares, the safer they are. At the bare minimum it is advisable that users do not list their mobile phone numbers or home addresses, as many apps have been found to access and collect this information.4
The next step in optimizing user Facebook security is education. Users that are wise to the current methods being used by Facebook attackers stand a much better chance of avoiding these attacks altogether. While many of these attacks are spam-related, there have also been cases linked to more serious issues such as personal data and identity theft. Many of these attacks come in the form of fake product pages, accounts, and apps.3 Users should be skeptical of any apps, messages, recommendations, invitations, pages, or posts that contain questionable content, such as offers that seem too good to be true, unsolicited contact from unfamiliar users, and duplicate versions of apps or pages. Fortunately, Facebook security software will automatically lock, scan, and repair an account that has become infected with malware.6
Facebook Security for Application Developers
Facebook application security is largely dependent on the security practices used by developers. The Facebook Developer App provides developers with a platform for securing their applications through a variety of settings. In order to securely test apps, developers can use “Sandbox Mode” to allow for application testing while keeping apps hidden from all users except a specified set of testers. There are four different roles developers can assign to testers, each with different levels of permissions. In order to protect apps from being taken over by malicious parties, Facebook allows developers to create whitelists that only allow specified IP addresses to change application settings or make API calls. As a precautionary measure, Facebook notifies developers any time their app is modified to ensure that their apps aren’t being edited without their knowledge.5 Finally, Facebook security software includes tools for detecting and blocking bad links, scanning code for cross-site scripting, and additional protection against clickjacking and account takeovers.7
1. Facebook. "Platform." Facebook Newsroom. N.p., 2012. Web. 18 June 2012. http://newsroom.fb.com/content/default.aspx?NewsAreaId=137.
2. Neo. "Configuring your Facebook Application Security Settings." The Pizzy. N.p., 25 Jan. 2011. Web. 18 June 2012. http://thepizzy.net/blog/2011/01/configuring-your-facebook-application-s....
3. Barracuda Labs. "Seven Annoying Attacks That Facebook Misses." Barracuda Labs. N.p., 16 Nov. 2011. Web. 18 June 2012. http://www.barracudalabs.com/wordpress/index.php/2011/11/16/seven-annoyi....
4. Cluley, Graham. "Rogue Facebook apps can now access your home address and mobile phone number." Naked Security. N.p., 16 Jan. 2011. Web. 18 June 2012. http://nakedsecurity.sophos.com/2011/01/16/rogue-facebook-apps-access-yo....
5. Facebook. "Application Security." Facebook Developers. N.p., Apr. 2012. Web. 18 June 2012. http://developers.facebook.com/docs/ApplicationSecurity/.
6. Facebook. "Everything You Ever Wanted to Know and More About Facebook Security." Oct. 2011. PDF file.
7. Rice, Alex. "Keeping Users Safe." Facebook Developer Blog. N.p., 13 May 2011. Web. 18 June 2012. http://developers.facebook.com/blog/post/499/.
CA Veracode Security Solutions
Written by: Neil DuPaul