One of the mobile news items this week was the discovery by developer Gareth Wright of a vulnerability in the Facebook apps for both iOS and Android. At issue in the iOS version of the Facebook app is the fact that a user’s login data is stored in a clear text .plist file. Copying that file to another device will allow full access to a person’s Facebook account.
Facebook was quick to point out that this file could only be copied directly from an iOS device if the device had previously been jailbroken. Wright responded by saying that the portion of the iOS file system where the data is located can be accessed by connecting any iOS device (jailbroken or not) to a Mac or PC running iTunes and creating a backup. With the right tools, its fairly easy to search an iOS device backup or even the filesystem on a connected device.
This brings up an important issue for businesses deploying iOS devices or operating a BYOD program – iOS backups made through iTunes can be an attack vector to retrieve business data.