Security: Apple's walls beat Facebook's flaws

Facebook apps bleed user data to advertisers, data which makes users of the social network easy to identify -- and the social networking service could do well to take a leaf out of Apple's book to beef-up security. At present users of all ten of the most popular Facebook apps are leaking their unique Facebook ID to outside firms.

This is a bad thing -- that leaked data lets other parties access your name, date of birth, photos -- any information you've assigned to be shared with 'everyone'.

At issue here is the way in which Facebook curates, or rather, fails to curate, Facebook applications. This underlines the dangers of openness, when open puts potentially privacy-eroding software into the hands of users who don't necessarily understand what's at stake.

Security consultants Sophos polled 1,000 people to see what they thought about Facebook and security, and found that 95 percent of these people thought the social networking service should follow Apple's approach with the App Store and security-check all third party apps running on the site. A 'walled garden', if you will.

[This story is from Computerworld's Apple Holic blog. Follow on Twitter or subscribe via RSS to make sure you don't miss a beat.]

Sophos senior technology consultant, Graham Cluley, said,

"Inevitably some of these applications are written with malicious intent - designed to steal information, spread virally, or spam unsuspecting Facebook users. Anyone can write a Facebook application, and it can be made available to the site's over 500+ million users without vetting. It's no wonder we see so many malicious attacks by rogue Facebook apps every day."

Contrast this with Apple's approach to apps on the App Store.

Sure, we may slam the company for its inconsistencies in what gets approved; certainly, Apple's censorious approach to some content sticks in the craw; I don't believe in editing other people's belief, but one thing is certain: those security checks help keep app users safe, at least most of the time.

"Although some people may not appreciate the level of control that Apple has over what apps you can run on your device, it certainly has been instrumental in keeping malicious hackers and malware off the platform," Cluley notes.

Malware authors continue to target Facebook because it lacks adequate security and vetting procedures. Given the social network's 'unusual' approach to user content and privacy, it is clear users have too much at stake and must beware which apps they use.

Facebook's unusual demographic -- the fact that it hosts people from all round the world and all walks of life -- this great advantage of the platform also means there's plenty of people on it who are lax with security, perhaps not understanding the importance and danger of Facebook's approach to it.

Facebook's open approach to security puts its users at risk. This is the danger of an open approach in a connected age.

This danger also means that in future, malware authors will flock to produce exploits affecting Android, particularly while its marketshare grows.

They'll exploit Android's (in my opinion) lackluster security to introduce apps that grab user data, including contacts, number, address, name, location and other data.

Sure, I understand that apps on Android -- just like apps on Facebook -- must get user permission before accessing personal data, but let's face it -- the people most at threat in such a model are those who least understand what's being agreed.

It's like this: I may understand what the permission request means, but my mum on her Android phone may not. And if the app asking for permission is something she wants that seems trustworthy, why would she not give her permission?

Adopting an open model to security places users at risk. In an age of identity theft, billing checks are no protection at all. That's why I think there is something to be said for Apple's so-called 'walled garden' after all.