30 September 2018
Study: Facebook Selling Security
Lately in the news I’ve been reading a lot about Facebook again. As a security lover I’m really not all that surprised about anything regarding them anymore. I’m hoping by breaking down what I know, the current discussion of their security issues, and leaving suggestions you will be more informed on how to navigate the platform safely.
What I knew about mobile security?
As mentioned previously I started in security studying mobile applications. One of the things that use to bigger concern for the Android community was that apps containing virudes was a lot more common. The famous example is of a popular flashlight app that would get access to people’s contacts and such. How did this happen? User’s weren’t reading app permissions. As the years have gone by Google has made it so that developers now have to make sure when starting an app that explicity ask for permission to information on your phone.
This started at first making user click through permission boxes upon processed “payment” before the app would fully load. Most people still weren’t reading, but would just hit “agree” to get through the boxes, but after realizing this those same boxes have now moved inside the actual application.
What I knew about facebook + mobile security?
Facebook is the ultimate mobile security case study. Before Messanger was a thing, before you could make phone calls through the app…facebook was built on bad security. Facebook apps asked for access to your whole phone from the begining but eventually started building (or aquiring) products that actually put the different permissions to use. The “issue” now is that not everyone takes advantage of all the features that the permissions are used for. Also because facebook runs in the background there are certain things that might stay active without your knowledge.
You upload photos & videos from your phone to facebook. You have given them permission to use your camera, photos/videos, and microphone. You also let messenger run in the background because you have a group of freinds that you frequently talk to. Now all of this sounds cool and “safe” BUT waht you might not know is that your mic could still be on in 10-60sec intervals recording conversation you have day to day. Why would this happen? Well facebook messager has the same permissions as the general app and because you let messanger run all the time then facebook still have the right to pull photos, videos, and control the mic
- Here is where I tell you that this might not be happening under the hood but I can’t prove either way so take the example with a grain of salt.
The current issues with Facebook security
Long story short, Facebook is selling your info to anybody with a big wallet.
I mean I recall that being part of the deal when you sign-up for an account but some people seem to think otherwise. The detailed version of all this is that the personal info your giving facebook to “secure” your account or anything peresonal that you share on the site (telaphone number, email, location) is getting sold for ads. This is why your ads are so good at know you wanted that 4k tv last week or that you live in the BedStuy area of New York.
Suggested ways to navigate the platform
1. Get a flip phone and txt statuses to facebook
ok this is somewhat of a joke. I’m not sure this is a thing anymore
2. Don’t share your location on any facebook branded apps
This means no more tagging those Instagram post or putting where your going to brunch this week
3. Don’t give facebook access to anything you won’t use
By default (minus instagram) I never give apps access to my camera/photos. I personally need to see a need to use it before I openly let apps roam my photo gallary
5. Don’t use facebook login
I’ve sold my tech soul to Google so as much as possible I try to use Google log in over facebook
6. Don’t allow facebook to automate anything
Don’t let facebook autotag picture (honestly I thought that was always weird), don’t allow the automatic tagging of your location when posting, don’t allow every picture you take be uploaded to facebook (also thought this was strange)
7. Don’t add your phone number
I mean…why do they need your number? If you need a password reset just go through the normal process. If you want to add a number for whatever reason you should go grab a google voice number.
I’m not saying these things are a sure fire way of staying safe from facebook so they can’t sell you out to ads BUT it could help a little. I use facebook in a different capacity than most so I tried to keep this pretty direct for heavy facebook users. If you aren’t a heavy facebook user then you might ok but it doesn’t hurt to check what information your openly giving companies.
tags: facebook - personal security