This content is part of the Essential Guide: How to manage application security best practices and risks

Facebook user data: How do malicious apps steal user data?

Malicious apps collected Facebook user data through Facebook APIs. Expert Michael Cobb explains how social networking platforms can monitor third-party apps' access to data.

Security researchers at Trustlook claim that nearly 26,000 malicious apps used Facebook APIs to collect Facebook user data. What type of APIs did these apps use, and is there anything Facebook can do to prevent bad actors from using them to harvest data?

Data scientist Aleksandr Kogan developed an app, thisisyourdigitallife, which enabled Cambridge Analytica to collect the personal details of 80 million Facebook users. Although the app was only downloaded 270,000 times, it collected Facebook user data from users and their Facebook friends.

When someone uses Facebook Login to connect with apps and services, they grant those apps access to a range of information from their Facebook profile. In 2015, Facebook also allowed apps to access some information from the friend networks of people who used Facebook Login, even though those friends may not have agreed to share their data.

Although Kogan gained access to this vast data set in a legitimate way and through the proper channels that governed developers on Facebook at that time, he shared it with Cambridge Analytica, violating Facebook's policies. Plus, the app was presented as a personality quiz, but the data collected was used for political marketing.

According to research by Trustlook, Cambridge Analytica is probably not the only company that has taken advantage of -- or abused -- Facebook's data policies to gather Facebook user data. Using its Secureai App Insights technology, Trustlook identified almost 26,000 apps it classifies as malicious that use at least one of Facebook's APIs, such as the login or messaging APIs.

Secureai assigns a risk score based on 80 data points it collects on the apps it scans, including permissions, libraries, risky API calls and network activity. Although these apps may not be harvesting personal data on the scale of Cambridge Analytica, the fact that they are deemed malicious means they may be abusing the permissions associated with certain Facebook APIs and misusing the personal data they provide access to.

Facebook was naïve to assume all app developers would use Facebook user data according to their policies and terms of service, and Facebook's CEO Mark Zuckerberg acknowledged making a mistake in trusting app developers. He has promised that Facebook will audit thousands of apps and give users easier tools to manage how their data is used and shared. But requiring developers to sign a contract before they are allowed to ask Facebook users for access to their posts is unlikely to deter bad actors.

A feature to revoke an app's access will be given more prominence on Facebook's site, but users still need an easy way to understand what they are actually agreeing to when they grant an app various permissions. The terms of use and data policies of Instagram, which is owned by Facebook, are over 7,000 words long and judged as difficult to read. Hopefully, this is an area the new GDPR's conditions for consent will help improve, as it requires the request for consent to be "presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."

However, preventing bad actors from using Facebook and other social networks to harvest personal data requires these platforms to offer far better visibility into how user information is handled by third-party apps. This means constant monitoring and scanning to detect behavior that is incompatible with usage policies. Surely border gateways and internal checks should be able to detect when an app used by 270,000 people retrieves personal data from 80 million users.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing