How Facebook Home Undermines Your Security
Four views of Facebook Home running on the HTC First Android smartphone.
Facebook's recently launched Facebook Home app makes using the social network on Android smartphones much easier and smoother — but might also open up some important security holes.
With the Facebook Home app, the home screen of an Android phone changes from the usual lockscreen or picture to a stream of updates from your Facebook friends, called Cover Feed.
Cover Feed resembles a Facebook Web page, but makes use of phones' limited screen size. If a friend shares a status update or photo, it appears on the screen and you can comment on it by tapping.
Facebook Home also includes a feature called Chat Heads that lets users access Facebook Messenger messages through an icon in the corner of the screen. (Chat Heads also handles regular text messages.)
Finally, Facebook Home includes a launcher for other apps, duplicating the function of the built-in Android launcher. Facebook Home can detect which apps you're using, though it doesn't gather data on the usage itself.
For example, Facebook Home will know you're playing Angry Birds, but it won't know your score. It can tell you're using WatchESPN, but not that you were streaming the Giants game.
Facebook Home comes pre-loaded on the HTC First, a midrange handset currently available on AT&T Wireless. There isn't, and likely won't be, a version for the iPhone, because Apple doesn't give developers as much access to the smartphone operating system as Google does. [See also: 11 Facebook Privacy Steps to Take Now]
Some security problems with Facebook Home have already appeared. For one, Facebook Home seems to disable the lockscreen on the HTC First, even if a PIN passcode is enabled. (Pattern locks work as intended, and the issue doesn't affect other phones.)
Facebook spokesman Frederic Wolens said the PIN-passcode-bypass bug was in the HTC phone and not the Facebook Home app. HTC told us it was looking into the issue. [See video of bypassing the Facebook Home lock screen on the HTC First.]
Even though Cover Feed starts as soon as the phone is left alone for a while, Wolens said, the lock screen is meant to come up if you want to comment on something or like it. So, in that sense, it isn't doing anything to the user's security settings, Wolens said.
(TechNewsDaily's own experiences belie that. When we tested HTC First phones at two different AT&T stores, we were able to bypass PIN passcode locks using Facebook Home and read and send emails, as well as access photo galleries, contact lists, Facebook Messenger and strangers' Facebook accounts.)
Wolens also noted that the biggest security problems arise if another person gets access to your phone, and there is not much Facebook can do about that. (PIN locks are meant to deny strangers access.)
While the PIN-code bypass isn't a difficult problem to correct — enabling the pattern lock instead of the PIN lock seems to work, as does a full factory reset — this kind of glitch raises questions, said Chester Wisniewski, senior security adviser at the British anti-virus firm Sophos.
"HTC and the other phone makers have eight years of experience with [phone security]" that they've built up over years of solving problems, Wisniewski said. "Facebook hasn't got any of that."
Even if Facebook makes its best effort to address the passcode problems, the fact is that putting Facebook Home front and center increases an Android phone's "attack surface," or the number of ways a hacker can get in.
"Facebook is such a big target — within hours I'd bet every hacker was trying to figure a way around it," Wisniewski said.
On the bright side, such visibility means that vulnerabilities will be publicized and fixed. (Facebook says it is committed to monthly updates).
Independent privacy and security researcher Ashkan Soltani said the problem may be that Facebook wants to make using Facebook Home seamless and frictionless — goals that sometimes bump up against the needs of a secure system.
"Security is often a barrier to interactivity," Soltani said. "But the fact that they are not prioritizing this is problematic."
Facebook, following you wherever you go
In addition to security issues with Facebook Home, there are concerns about data and ads. There are no ads yet on Facebook Home, but that probably will change in the future. Facebook makes its money from advertising and the data on users the company collects.
Facebook Home doesn't collect much more data than the ordinary app or website does, but it is one more avenue for the company to do so.
Facebook Home was created partly to increase the amount of time people spend on Facebook, which could potentially boost the number of times a person hits "Like" on something, or comments on a posting.
Wisniewski said the real thrust of Facebook Home might be toward a demographic that is typically less worried about privacy: teens and young adults.
The old Sidekick smartphone, Wisniewski said, was designed to let teenagers easily communicate with one another without incurring the expense of texting. It was a big success for T-Mobile for several years, with famous celebrity users such as Paris Hilton.
Facebook, he said, may be aiming for the same thing.
"These are people who don't have 'bring your own device' problems at work, so they aren't as concerned," Wisniewski said. "They aren't exchanging stuff that's sensitive," at least in the legal sense.