Last weekend’s fiasco where Spotify, Pinterest and Tinder crashed on Apple IOS devices, shows up a vulnerability that needs urgent review.
Apple users must have been irked last weekend when popular apps like such as Spotify, Pinterest and Tinder were crashing on iPhones. All apparently due to a bug in Facebook.
Many app developers routinely use the Facebook software development kit to allow Facebook login information to be used to sign into other apps such as Spotify. However, in this case, users did not even need to be using the Facebook login to be affected by the crashes.
Subsequently, on the same morning of the spike in crashes, Facebook had reacted on its developer forum that an error in its iOS software development kit had been resolved, about eight hours after it started investigations.
This is an atypical cybersecurity scenario that must be raising alarm bells in threat hunting groups and defenders worldwide.
Said Tim Mackey, Principal Security Consultant, Synopsys Software Integrity Group: “Modern applications are a combination of proprietary code, open source software and increasingly third-party application programming interfaces. Throw in some configuration settings, and you have an application. Those third-party APIs often do very important things for the application, such as supporting a social media authentication token. Most of the time this is a good thing since it allows the application developers to focus on making their software really cool and not reinventing something that everybody needs.”
Mackey noted that, while there has been increasing attention around keeping up with the security of open source components in recent years, the API side of things has not seen as much focus. Part of that has to do with the reality that most API providers want their users to keep using their APIs and will do almost anything to keep the APIs functioning. “This of course can lead to some serious problems if the API needs to change due to security issues, or becomes unavailable for any number of reasons.”
Keep an eye on API usage
This is exactly what users of popular apps like Spotify, Tinder, and Pinterest, using the Facebook SDK experienced. Mackey continued: “This incident highlights an important set of security implications for any app using third-party APIs and SDKs—what happens to your app if the API fails? While some apps are designed to work in airplane mode and have a concept of offline operation, that’s not the same as a critical API failing. When an API fails, the error message returned might be in an unexpected format–say readable to a human but not software.”
When bad data is encountered, the app may crash or perhaps write information to a log file. The crash or log file may contain data that would be helpful to a developer, such as a username or access token, but that same helpful information might be classified as personally identifiable under one or more privacy laws. This is an example of how a decision made during development could have implications for compliance teams and end users. No business wants to have users complaining about their apps crashing, but things get worse if your legal team needs to be involved.
“Solving for this problem is easily done through the use of ongoing architecture reviews and updated threat models all performed with an eye on external API usage. The threat models will look at the data transferred and the architecture reviews will look at the behavior of the app when faced with the unexpected, such as a failed API or transient network connection,” said Mackey.