A security researcher has discovered a serious flaw with the Facebook and Dropbox apps for both Android and iOS that puts all of your sensitive personal data at risk.
Anyone with access to your device can use a free piece of software that’s easily available on the internet to retrieve an unencrypted, plain text file from your device that provides access to your entire account — without requiring a jailbreak.
Facebook has since issued a statement to deny there’s any issue on stock devices:
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
But Facebook is wrong. With a free application called iExplore, users can access all sorts of files on their device without jailbreaking it first. This allows the .plist containing all of your personal data to be extracted. It’s in plain text and it’s not encrypted or secured in any way, so anyone can open it.
Facebook is correct, however, when it says that a “malicious actor” must obtain physical access to your device first. So there’s no need to worry about your data being stolen while you have possession of your handset. But if it’s lost or stolen, then there’s cause for concern.
The issue is not with Android or iOS themselves; it’s with these apps that choose not to encrypt your data. So it’s up to Facebook and Dropbox to fix the issue. There could be others out there, too, but these are the only two so far that have been found to feature this vulnerability.
Keep your eyes peeled for those updates.
UPDATE: Dropbox has now also spoken out about this issue, claiming that its Android app is not at risk from this problem, and that its iOS app will be updated soon:
Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.