Woe is iOS
When Wright revealed a Facebook mobile security hole in iOS devices, he wrote, "Readers: Do not panic!" and explained how to change phone settings to secure the devices. He then says he used the free iexplorer tool on some of his iOS application directories and found a plain text Facebook access token in the Draw Something app. He realized that the Facebook application directory contained cached images and the com.Facebook.plist, but what was most shocking was the full oAuth key and secret in plain text.
Worryingly the expiry in the plist is set to 1 Jan 4001!Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app… My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added."
Wright says that he notified Facebook, which is working to fix the hole. Later, he updated his post to include Linkedin as vulnerable to the hack.
Next Comes Dropbox
The Next Web followed the story and found that the Dropbox app was also vulnerable because it stores information in plain text, which can be copied and used on another device:
We copied the .plist from one device with the app installed and logged in, over to another which had a fresh installation of Dropbox on it. The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not."
The Next Web contacted Dropbox about the problem, and received a statement back that said the Android app is not susceptible to the security issue because the access tokens are stored in a protected location.
Dropbox is updating its iOS app to do the same thing, but in the meantime, iOS app users can set the device passcode, which prevents transferring of the .plist file from the mobile device.