Facebook participated in the Federal Trade Commission’s Public Forum on Threats to Mobile Devices earlier this week, and it shared some of the best practices agreed upon at the forum in a note on the Facebook Security page.
The social network began the note by saying:
More than ever, people are using their mobile device as their primary means of accessing the Internet. This provides not only unparalleled access to information, but also millions upon millions of applications built by third-party developers. This platform approach enables users to experience great apps built by developers both large and small. However, this decentralized platform approach only works if there are strong, industrywide best practices around important app basics such as security. For this reason, we applaud the Federal Trade Commission for hosting its Public Forum on Threats to Mobile Devices and thank them for including Facebook in this important meeting.
Following is a summary of the 12 best practices shared by Facebook, but please refer to its note for complete details:
- Use HTTPS in a secure way: For Android, the social network recommends using application-programming interfaces such as HttpsURLConnection, rather than SSLSocketFactory classes. For iOS, it recommends high-level API NSURLConnection for network requests, rather than lower-level APIs such as CFStream. And for both platforms, Facebook suggests manually installing SSL certificates in testing devices, rather than using preprocessor variables and debug-only code to deactivate SSL validation.
- There are no client secrets: Rather than using secrets within apps to authenticate them to servers or perform client-side OAUTH flows, Facebook suggests two-factor authentication, as well as storage of OAUTH secrets on developers’ servers so that they remain secret.
- WebViews: For Android, the social network recommends restricting Web pages that can load inside WebViews with whitelists, preventing other sites from triggering local resources. For iOS, Facebook suggests not giving large privileges to these WebViews, as well as sanitizing their native inputs.
- Tap-jacking: Facebook described tap-jacking as apps overlaying content over other apps and tricking users into clicking buttons on the underneath app, and it recommends that developers set the setFilterTouchesWhenObscured property to true for Android, adding that tap-jacking usually occurs only on jail-broken iOS devices.
- Race conditions on installing apps: In order to prevent previously installed apps from stealing Android permissions, Facebook suggests reducing exposure of components and explicitly authenticating callers of components.
- Controlling exposed features: For Android, the social network suggests exposing as little of apps as possible to other potentially malicious apps, and for iOS, apps should not perform state-changing actions on processing URLs without asking for confirmation from users.
- Watch out for internal URL schemes: For Android, Facebook reminds developers that custom URL schemes in intent filters can be triggered by both installed apps and malicious apps users open by clicking links, and for iOS, the social network recommends distinguishing internal URLs created by trusted sources from public URLs callable by external apps or made clickable in user contents.
- Authenticating callers of components: For Android, Facebook recommends using startActivityForResult() for calling activities that need to know their callers, adding that the user IDs of callers can be obtained using Binder.getCallingUid(). For iOS, rather than UIApplicationDelegate:application:handleOpenURL:, Facebook suggests implementing UIApplicationDelegate:application:openURL:sourceApplication:annotation: and using the sourceApplication to authenticate a URL caller over time.
- Use explicit intents and intent hijacking (Android): If private data are being transmitted in an intent, the social network urges the use of explicit intents, which ensure that the callees receiving the intents will be the ones they were intended for.
- Open redirects: Facebook cautions that if one component in an app takes a component as an input and redirects to it, all checks could be circumvented.
- SQL injection: For Android, Facebook suggests carefully sanitizing user input strings to content providers that are exposed. For iOS, it recommends refraining from constructing SQL query strings directly, instead using a more abstract framework such as EGODatabase or FMDB.
- Language-based vulnerabilities (iOS): Facebook warns that Objective C is susceptible to a variety of programming errors that can be exploited.
Image courtesy of Shutterstock.