Facebook’s quest to stop risky apps from using its services may take longer than expected, according to a recent report from cybersecurity company Trustlook. Trustlook has identified 25,936 malicious apps that are currently using one of the social media giant’s APIs, such as a login API or messaging API. App developers, when using these APIs, are able to obtain a range of information from a Facebook profile—things such as a name, location, and email address.
“It’s not surprising to discover so many malicious apps still utilizing Facebook services,” said Allan Zhang, co-founder and CEO of Trustlook. “Facebook’s growth and accessibility have made them a target for malicious developers for many years. It may take the company a while to clean up their ecosystem.”
Trustlook discovered the malicious apps within its SECUREai App Insights product, which continuously scans apps from across the world, and provides more than 80 pieces of information for each app, including permissions, libraries, risky API calls, network activity, and a risk score. This allows app store owners, app developers, and researchers to make informed decisions when assessing the risk of an app. SECUREai App Insights is currently securing three of the top five app stores in the world.
The Cambridge Analytica data-harvesting scandal has forced Facebook to take significant steps to protect its users’ privacy. App developers are no longer permitted to access as much data about Facebook users as they once could. In addition, Facebook CEO Mark Zuckerberg says the company will “audit” thousands of apps, and hire 10,000 new security and content moderation employees this year.
But questions remain. Does Facebook have the expertise to review the thousands of apps out there syphoning user’s data surreptitiously? Can it do it at scale? Can it hire thousands of security employees, considering a 2017 report on the state of the cybersecurity industry that projected the field will be short 1.8 million workers globally by 2022?
Whether Facebook can accomplish their goals remains to be seen, but it’s clear the company needs better visibility into how user information is being handled by third-party apps. And most likely it needs a sophisticated piece of software to help.
To be fair, Facebook is not the only company with its APIs embedded in malicious applications. Twitter, LinkedIn, Google, and Yahoo offer similar options to developers, and thus their user data faces similar exposure. Experts conclude that all of these companies need to remain diligent about what user information is being granted to apps.
Edited by Daniëlle Kruger
Follow IT News Africa on Twitter
