Last December I posted an article calling out the Android permission settings on the Facebook Messenger app and others like it. I highlighted the threat that the "without your permission" stipulation, among others, could open the door for malicious third party software or hackers to gain access to your smart phone.
The article created quite a stir when it went viral last month when Facebook began removing the IM function from within its social networking app. For the most part, readers shared my concern; however, a select group of self-proclaimed tech geeks suggested that I was misinforming people and that I was just paranoid. Others pointed to the fact that the permission settings were specific to Android and that the sandboxing offered on Apple's iOS would prevent such unauthorized access from occurring.
Was I really paranoid? Are security issues only possible on Android apps thanks to the manner in which it manages permission settings? Well, earlier this week Andrei Neculaesei, a developer at Copenhagen-based Airtame, discovered a dangerous bug in the Facebook iOS app's programming that might cause potentially expensive calls to be made with your iPhone, without requesting your permission.
Neculaesei shares how the bug works on his blog where he explains that there's a potential for your iPhone's calling function to be hijacked when you click on a web link. He calls the bug "some sneaky-beaky-like JavaScript," which makes the links embedded in websites click themselves.
The threat could be even bigger. Neculaesei predicts that the vulnerability in theses apps could automatically transmit a video feed to attackers when clicking on a link within Facetime, for example. Facebook has announced that it has already developed an update to address the security threat; however, a release date has yet to be listed as of the date of this post.
Are We Right to be Paranoid?
My security concerns over our increasing use of mobile apps, for which we rarely read the permission settings or terms of service, were met with harsh criticism by some who said I was wearing a tinfoil hat and breeding paranoia.
I hate to say "I told you so" but, well, there it is. One of the potential threats I feared has come to life.
Will there be others? Of course there will.
Should you delete all your mobile apps? Of course not.
What we should do is start taking the time to read the fine print before we download apps that request access to our phone's data and functionality, and really consider if the app's utility is worth the potential security risks that may come with using it.
Next, we must put more pressure on app manufacturers to be clearer and more specific about how and why they need to access certain data and functions on our phones, and offer limitations on how that data will used once collected.
Finally, we must start to insist that they add greater safeguards to protect our data or we'll stop downloading them.
What say you? Are you at all concerned about the increased threat posed by the permission settings and/or terms of use we accept when downloading modern apps?
Executive Network
Click Here, Learn More