Wednesday, April 22, 2009

I am concerned about Facebook Connect for iPhone security against phishing attempts. Does anyone know how Facebook protects users against phishing attempts on the iPhone? Facebook posts the following security notes regarding Facebook Connect:
When you see this, you should take the same precautions you take whenever you log in to Facebook. Make sure you check the URL in the window’s address bar, and only provide your information if it starts with www.connect.facebook.com. Also remember that real Connect-enabled sites should know when you’re logged in to Facebook, so if you see one of these windows when you’re already logged in, close it immediately, and don’t provide any information. -- link
However, checking the URL is not possible with in-app webviews on the iPhone. The only way I see to protect against phishing attempts is to have Apple check to ensure the application is communicating with Facebook and not some phishing server. But there could even be ways for hackers to get around this; the developer could have their application grab the contact URL from a remote server and then change that URL after the app is approved. What is the best way for a user to protect against phishing attempts on the iPhone? I am publishing an article about this soon. I'd like to hear everyone's inputs.

No comments:

Post a Comment