Should a Facebook under fire adopt the Apple approach to security?

By Davey Winder
Tuesday, 03 March 2009 02:30

Home IT

With malicious hackers targeting Facebook a total of five times in seven days, has the time come for the social network to take a leaf out of the Apple book?

Reports are circulating concerning how Facebook has been targeted by malicious hackers intent on stealing data from members of the social network. Such problems are nothing new, of course, but they become newsworthy when apparently there have been a total of five of them in the space of just seven days.

The BBC quotes one senior security advisor as confirming that Facebook has been "hit by four malicious applications" plus "a new variant of the Koobface virus."

All the applications have one thing in common, the intent to steal saleable information from Facebook members. These applications are, more often than not, hosted on Facebook servers linked to third party servers rather than installed directly on the users machine so most security software can be bypassed with relative ease.
  
The fact that Facebook, unlike the Apple App Store for example, does not have a policy of only allowing approved applications to be made available. Indeed, the only Facebook vetting happens after the event if members report an application as being dodgy in some way.

Rob Cotton, CEO of NCC Group, comments: "The friendly, open nature of social media sites such as Facebook makes them easy targets for hackers as users are very trusting of the content."

iTWire asked Graham Cluely, the Senior Technology Consultant at security specialists Sophos, if it was time that Facebook adopted the Apple approach to pre-approving applications?

"My proposal would be that Facebook application developers would have to jump through a few hoops before their applications are allowed to be unleashed on the network's 100 million plus users" he told us.

Cluley suggests that anyone wanting to write a Facebook application should be asked to prove their identity and contact details and sign a contractual agreement before they can become an authorised Facebook third-party developer.

"I suspect that an 'authorised developer' infrastructure would reduce the number of applications being written and give the authorities more of a trail to follow if an application goes bad" Cluley concludes.