March 23, 2018

Can Trustlook’s app auditing tool solve Facebook’s data privacy woes?

Can Trustlook’s app auditing tool solve Facebook’s data privacy woes?

The Cambridge Analytica data-harvesting scandal appears to be a  game changer for Facebook. The company has been forced to take big steps  to protect its users’ privacy. Facebook has restricted access to  certain types of data, but it’s clear that the company needs better  visibility in to how user information is being used by third-party apps.

The Issue
Between 2013 and 2015, the research firm Cambridge Analytica  (CA) harvested profile data from millions of Facebook users, and used  that data to build a targeted marketing database based on each user’s  individual likes and interests. CA was able to gather this data in the  first place thanks to a loophole in Facebook’s API that allowed  third-party developers to collect data not only from users of their apps  but from all of the people in those users’ friends network on Facebook.

Make no mistake, this was not a hack. All of the information  collected by Cambridge Analytica was information that Facebook had  freely allowed mobile developers to access. And it appears the main  avenue that app developers used for data collection was the Facebook  Login feature.

Facebook Login lets people log in to a website or app using their  Facebook account instead of creating new credentials. People use it  because it’s easy and eliminates the need to remember a bunch of unique  username and password combinations.

When people use Facebook Login, though, they grant the app’s  developer a range of information from their Facebook profile — things  such as their name, location, email or friends list. Back in 2015,  Facebook also allowed developers to collect some information on the  friend networks of people who used Facebook Login. That means that while  a single user may have agreed to hand over their data, developers could  also access some data about their friends. Needless to say, this  realization among Facebook users has caused a huge backlash.


The Solution
The scandal has prompted Facebook to do more to make it easier  for users to protect their privacy, which, to the company’s credit, it  has. Users can now more easily lock down their privacy settings, and app  developers are no longer permitted to access as much data as they once  could. In addition, developers will be cut off from access when people  stop using their app, and they’ll have to get Facebook’s approval to  access more detailed information.

But one big problem persists: the tons of apps out there operating  under the “old rules,” and siphoning user’s (and their friends’) data  surreptitiously? Facebook CEO Mark Zuckerberg says Facebook will “audit”  thousands of apps and “investigate all apps that had access to large  amounts” in the past. But what that means exactly is still unclear.

Can Facebook do it? Can it do it at scale? Does it have the expertise  and experience to see what is happening inside all of the apps that use  its services? If they can’t, Trustlook can.

Enter SECUREai App Insights
Trustlook SECUREai App Insights (datasheet here) can already do what Facebook is promising to do. In fact, it’s already securing three of the top five app stores in the world.

SECUREai App Insights provides detailed information about  mobile applications. It offers more than 80 pieces of information for  each app, including permissions, libraries, risky API calls, network  activity, and a risk score. All the information is presented in an  easy-to-use, actionable format so that app store owners, app developers,  researchers and companies such as Facebook can make informed decisions.

Most importantly for Facebook, Trustlook’s technology can determine  if apps that are using Facebook Login are doing so properly, or if they  are abusing permissions or mishandling user data in any way.

Facebook is not the only company offering a sign in feature. Twitter,  LinkedIn, Google, and Yahoo have similar features. All of these  companies need to remain diligent about what user information is being  granted to apps.

Are you interested in learning more about SECUREai App Insights? Contact us today to schedule a demo.