Facebook Hacks Points To Much Bigger Threat For Mobile Developers 59
DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."
How many devs understand security? (Score:2, Interesting)
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.
Re:How many devs understand security? (Score:5, Interesting)
If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications [barnesandnoble.com] was eye opening - and how many devs read it?
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.
huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).
but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.
Re:My bad. (Score:4, Interesting)
In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...
I left FB in 2009 and haven't looked back.
Re:Not just mobile (Score:5, Interesting)
F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.
yeah.. having now read it, the investigation uses proof of macs that fb had a mac on a promo picture of their security team(showing some powerpoint or keynote).
that's not an investigation, it's gossip.