A somewhat troubling security flaw has been found in the mobile apps for Facebook and Dropbox. It seems that both apps (and others, presumably) store access tokens in an unsecured plain text .plist file that can be easily accessed with certain free file management tools. Also, the flaw is found in both the iOS and Android versions of Facebook, though Dropbox’s Android version stores the file more securely.
The problem was first discovered by Gareth Wright, who was exploring the practice of modifying .plist files as a means of cheating on certain iOS games. When digging through OMGPOP’s popular Draw Something app, Wright found an access token for Facebook stored in plain text within the app.
This led him to begin poking around the Facebook app itself, where he discovered that the app stored an oAuth key in plain text as well, completely unencrypted. This key allowed complete access to Wright’s Facebook account when he transferred it to a friend’s phone. When Wright contacted Facebook about the problem they replied that they were aware of it and working on a fix.
Following up on Wright’s work, The Next Web managed to get a fuller statement out of Facebook. They claim that the exploit only works if a user’s phone is jailbroken. This, however, is false, as the tool Wright was using, iExplorer, works perfectly well on non-jailbroken devices. Moreover, Wright says that it also works on passcode protected devices.
The Next Web was also able to duplicate Wright’s work with the Dropbox iOS app. Using iExplorer, they copied a plain text .plist file from one device to another, and used it to gain access to the first user’s Dropbox account on the second phone. When asked for comment, Dropbox told them that it was aware of the issue and was currently preparing an iOS update that would fix the problem.
Now, before you get too freaked out about this flaw, it’s worth noting one important fact: tools like iExplorer have to be physically connected to your device in order to gain access. That means that for someone to access these plain text files on your phone, they have to actually have possession of it. Which means that only someone to whom you give your phone, or who finds it when you lose it, or who steals it could possibly be able to use this exploit to get at your personal data. That means that while this is a pretty serious oversight, it’s not much of a direct threat to the average user, as long as they retain physical control of their device.