Recently Facebook announced their Application Verification Program in an attempt to give user’s assurances that particular applications are secure. I think the intent is good but the implementation may actually cause more harm than good. Giving users an assurance that a malicious applications are secure can cause a lot of damage. People with assurances are a lot more loose with their actions where they may normally not be with no expectation of security.
Given the way many of Facebook’s applications are written it doesn’t lend itself to a proper review. The Facebook team is going to have to do reviews of submitted code that does not run on Facebook servers. This would only be a snapshot of the code at that given time. After the verification procedures are done, the developer can make whatever changes they want. They could change the verified app to a malicious app at will. I am getting so tired of security measures that don’t address the real problems. They are a waste of time. The only thing this verification program may do is stop the idiot who just learned PHP from creating the HackMe Back of social network applications. It doesn’t address the major problem that attackers are gaining access to the API and attacking social network users.
The best way to protect against malicious applications is to control the access to the API in the first place. Don’t just let anyone access the API and only need 5 friends to publish the app. Proper vetting procedures would go a long way in curbing the amount of malicious applications that get published on Facebook and other social networks. Why don’t the major social networks have vetting procedures for API access? It completely blows my mind, but that’s social network culture for ya.
Social networks are riding a thin line with security as it is. Introducing security measures that aren’t effective only cause more confusion on the part of their users. Social networks should strive to create a balance between functionality and security for everyone’s sake. Will that happen? Only time will tell. One thing is for sure though, attacks on social networks are only going to go up. The more surface you give an attacker the more options and success they are going to have.
Nathan, I am not familiar with the inside procedures of Facebook verification. If that’s true, the only point we can get is that the designer of this verification program doesn’t know security well. As a basic practice for application/web security, every changes need re-verification/check, at least major changes. Richard