Industry Observations-Web Application Security

App Permissions: Beware the Hidden Accesses

Look, I love Facebook. Not enough to use my real name on my account there, mind you, because I don’t trust the idea of sharing my real name and my real birthday on the same social media site. That opens you up for information mining and possible identity theft. But I do love social media interaction, and I think a lot of columnists are absolutely wrong about only being able to maintain 150 friendships.

So now that I’ve established myself as a lover of FB and social media, may I ask that you all please carefully consider which additional new and (worse) seldom-used applications that you grant permission to “Log On with Facebook?” (Or Google+, or Twitter – I’m not just targeting any one federated login mechanism.)

For sheer convenience, a lot of people do it in lieu of creating a new username/pw combo, or even using a “Spamdump” email/pw. Why? It’s a pain to constantly type in an email address and password, especially on the tiny little phone letters and numbers. I get that.

These apps which use your FB or Google account login information don’t have the ability to change your password. They merely check with FB, which then generates a token for the use of this app. I like to think of it as the difference between the badge for my office and the building key. The key can get people into the hallways, but only my badge and fingerprint can get you into my office.

But you really need to go through and chuck out extraneous apps from your permissions now and again. Today’s Twitter Counter hack is an excellent demonstration of how third-party apps use the tokens from your main identity. Twitter Counter and Twitter both have identified the issue and dealt with it; which one presumes means changing permissions, updating both the authentication and authorization protocols regarding how much they share and how they communicate, and possibly other application security measures.

Here’s a quick How To reminder for the main three social media sites I use:

Facebook: Click on the question mark drop-down menu and select Privacy Check-Up. Go to the left-hand rail (rr on the web, Next) and select Apps. With Facebook especially, plenty of these apps may have read-only access to your data, so they can look but not touch. Still, get rid of anything you don’t use regularly, and especially things you authorized and forgot about. (Also for the love of little blue fishes, please don’t let anyone see your birthdate – let it be Month DAY only, not including year. Additionally lock it to Friends only.)

Twitter: Click on your avatar circle on the top right, next to the “Tweet” button, and select Settings and privacy. Look at the list on the left side, under your name and avatar, and click Apps. Click Revoke Access for all outdated or unused as per above.

Google: Google makes it easy with the Security Checkup, which runs through your app permissions, app specific passwords, connected devices, and other points of vulnerability for your account. Click here to do it now and clean out all the accumulated detritus.

Naturally, if you are a company that makes mobile applications which use federated identity from one of the major social media vendors, perhaps you should consider using WhiteHat for your mobile application scanning needs. We can help you find stuff like that before someone uses your app to do nasty things.

Tags: application security, security