January 20, 2011

Sophos: Facebook Should Better Monitor App Security

Experts at Internet security company Sophos said that Facebook should adopt tighter security measures to protect its users, as a rise in unmonitored applications endangers the social network's 650 million users.

Experts from the firm suggested it should mimic Apple's App Store, which inspects all programs available for download.

But Facebook said its data shows the opposite of Sophos and that it already has "extensive" protection for users. "We have a dedicated team that does robust review of all third party applications, using a risk based approach," the firm is quoted as saying by BBC News.

"That means that we first look at velocity, number of users, types of data shared, and prioritize. This ensures that the team is focused on addressing the biggest risks, rather than just doing a cursory review at the time that an app is first launched," it said.

Sophos said that reviewing apps before launch had "proven effective in protecting users."

In Sophos' 2011 Threat Report, which highlights the major online dangers to be expected over the next 12 months, the company points out that Facebook is now one of the biggest targets for criminals and fraudsters.

Part of this is due to the site's size and popularity -- but also because Facebook allows anyone to build applications, games, surveys and other programs. The most popular ones have been downloaded tens of millions of times.

While this open system may be good business for Facebook, it leaves inexperienced users vulnerable to attacks from malicious hackers who build fake apps that trick people into handing over private information.

"Facebook, by far the largest social networking system and the most targeted by cybercriminals, has a major problem in the form of its app system," said the report.

To fight this, the report suggests Facebook could learn a lesson from mobile phone makers such as Apple, which has strict controls over what applications are available for users of its iPhone and iPad.

"A 'walled garden' approach may be more suitable," said the report. "This is the way the Apple App Store operates, with applications requiring official approval before they can be uploaded to the site and shared with other users."

Although this type of approach would potentially screen users from fraudulent apps, it would not be without faults, however. Apple's own process has come in for criticism in the past for its seemingly arbitrary rules that resulted in the banning of some apps, while other similar ones were allowed through.

Alternatively, Sophos said Facebook could offer more detailed controls over security, allowing users to decide more easily which applications can run on their profile.

But Facebook says it already does this.

"We have built extensive controls into the product, so that now when you add an application it only gets access to very limited data and the user must approve each additional type of data," the company told BBC News in a statement.

"We make sure that we act swiftly to remove [or] sanction potentially bad applications before they gain access to data, and involve law enforcement and file civil actions if there is a problem," it said.

It also says that its own data suggests Sophos has exaggerated the problem.

"As a result of our efforts, the data we have on interactions of more than 500 million people using Facebook shows that spam, malware and other attacks have decreased in their effectiveness"”the opposite conclusion reached by a security vendor," the social network added.

The advice came just one day after Facebook stopped running its new feature which exposed the telephone numbers and home addresses of users to anyone building applications.

The change, which the company said was intended to "streamline" information sharing was suspended after complaints that it would easily become a target for abusers.

As well as highlighting problems with Facebook, the Sophos report also analyzed a number of other security trends it said would increase over the coming months, which include, but not limited to, clickjacking and spearphishing.

Clickjacking is a scheme that hides malicious code inside a link pretending to be something else, often alleging to be a link to a picture or joke. Such attacks can spread rapidly through networks like Facebook and Twitter.

Spearphishing is highly targeted spam aimed at obtaining specific details from an individual.

"Cybercriminals prey on our curiosity and perhaps our vulnerability and gullibility, and use psychological traps to profit from unsuspecting technology users," the report concluded.


On the Net: