At Trustlook, we monitor live feed from VirusTotal (VT). On ...
The Cambridge Analytica data-harvesting scandal appears to be a game changer for Facebook. The company has been forced to take big steps to protect its users’ privacy. Facebook has restricted access to certain types of data, but it’s clear that the company needs better visibility in to how user information is being used by third-party apps.
Between 2013 and 2015, the research firm Cambridge Analytica (CA) harvested profile data from millions of Facebook users, and used that data to build a targeted marketing database based on each user’s individual likes and interests. CA was able to gather this data in the first place thanks to a loophole in Facebook’s API that allowed third-party developers to collect data not only from users of their apps but from all of the people in those users’ friends network on Facebook.
Make no mistake, this was not a hack. All of the information collected by Cambridge Analytica was information that Facebook had freely allowed mobile developers to access. And it appears the main avenue that app developers used for data collection was the Facebook Login feature.
Facebook Login lets people log in to a website or app using their Facebook account instead of creating new credentials. People use it because it’s easy and eliminates the need to remember a bunch of unique username and password combinations.
When people use Facebook Login, though, they grant the app’s developer a range of information from their Facebook profile — things such as their name, location, email or friends list. Back in 2015, Facebook also allowed developers to collect some information on the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. Needless to say, this realization among Facebook users has caused a huge backlash.
The scandal has prompted Facebook to do more to make it easier for users to protect their privacy, which, to the company’s credit, it has. Users can now more easily lock down their privacy settings, and app developers are no longer permitted to access as much data as they once could. In addition, developers will be cut off from access when people stop using their app, and they’ll have to get Facebook’s approval to access more detailed information.
But one big problem persists: the tons of apps out there operating under the “old rules,” and siphoning user’s (and their friends’) data surreptitiously? Facebook CEO Mark Zuckerberg says Facebook will “audit” thousands of apps and “investigate all apps that had access to large amounts” in the past. But what that means exactly is still unclear.
Can Facebook do it? Can it do it at scale? Does it have the expertise and experience to see what is happening inside all of the apps that use its services? If they can’t, Trustlook can.
Enter SECUREai App Insights
Trustlook SECUREai App Insights (datasheet here) can already do what Facebook is promising to do. In fact, it’s already securing three of the top five app stores in the world.
SECUREai App Insights provides detailed information about mobile applications. It offers more than 80 pieces of information for each app, including permissions, libraries, risky API calls, network activity, and a risk score. All the information is presented in an easy-to-use, actionable format so that app store owners, app developers, researchers and companies such as Facebook can make informed decisions.
Most importantly for Facebook, Trustlook’s technology can determine if apps that are using Facebook Login are doing so properly, or if they are abusing permissions or mishandling user data in any way.
Facebook is not the only company offering a sign in feature. Twitter, LinkedIn, Google, and Yahoo have similar features. All of these companies need to remain diligent about what user information is being granted to apps.
Are you interested in learning more about SECUREai App Insights? Contact us today to schedule a demo.