Facebook dev move won't stop rogue apps, say researchers

Site must use Apple-style approval process to stymie attacks, say security experts

Security researchers today said Facebook's new requirement that developers link legitimate accounts to their software won't stop rogue applications from infecting its users with adware.

On Wednesday, Facebook announced that it will now demand that developers verify a Facebook account to create new apps on the service.

"We're taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account," Niket Biswas, an engineer and technical project manager on the platform engineering team, said in an entry on the Facebook developer blog .

Developers can establish they have a legitimate Facebook account by confirming their mobile phone number or adding a credit card to the account. Facebook requires the same confirmation for users who want to upload large video files.

Although Biswas didn't mention rogue Facebook apps, the move was clearly aimed at trying to stop cybercriminals from building bogus software that dupes users into downloading other programs, including pop-up spewing adware.

"That's not going to hurt [the criminals] one little bit," said Roger Thompson, the chief technology officer for antivirus company AVG Technologies, in an instant message. Thompson has tracked several of the attacks against Facebook users launched by hackers on three consecutive weekends .

"Facebook is entirely too open at the moment," Thompson added. "Anyone can be a developer, with no cost to them at all."

Rik Ferguson, a senior security advisor at Trend Micro, agreed.

"What guarantees are there that any Facebook account is 'valid and real' in the first place?" he asked in a post today on Trend's CounterMeasures blog. "Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. If criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account, where does that leave us?"

Ferguson answered his own question a moment later. "It leaves us with a fake 'confirmed' profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuing to play Whac-A-Mole with the scammers," he said.

Both Ferguson and Thompson said that the only viable move Facebook could take would be to mimic Apple's App Store. Software for the iPhone and iPad must go through a review and approval process before Apple deigns to stick a program on its e-mart.

"If Facebook really wants to turn around the security situation when it comes to malicious or rogue content, then the only effective option is an application approval process, such as the ones already in place over on MySpace or on the Apple App Store," said Ferguson.

Thompson had the same idea, though he didn't think it was feasible for Facebook . "I don't think they can do much more without going to the App Store model, which is contrary to their business [model]," he said.

But Ferguson countered. "The effort that Facebook incident handlers currently put in to tracking down and suspending the ever-increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place," he said.

For three weekends in a row, Facebook users have faced rogue app-based attacks that plant adware on their PCs. This week, users have dealt with a string of so-called "like-jacking" attacks that spread links to malicious sites using Facebook's "Like" feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags FacebookAppleadwareapp

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?