webview vulnerability in facebook android sdk embedded oauth

Reposting this from my FB feed

##TL;DR Don’t put your FB username and password within mobile apps when you don’t have the native FB app installed!

Today I learnt that the Facebook SDK for Android is very insecure. At first I thought Man in the Middle attacks on the SDK OAuth authentication process is not possible, but if you are embedding someone else’s WebView within your own App via the SDK, you can very well control them, either via Reflection, or just by modifying the SDK code coz FB makes the SDK a public download which you then compile to link in your app. If the SDK does not find the FB app installed on a user’s phone, it resorts to using the fallback mechanism of using an embedded WebView for authentication.

That said, I hacked around to see if injecting Javascript on the WebView was possible and it was, with a bit of change I could actually get the user name and password of the victim by making him/her uninstall Facebook on their phone and use FB login in my app. This is bad, real bad. There is no way of telling if the username/password was stolen by the underlying app due to the FB login since only the developer of the app controls that. And he/she can modify the SDK to suit their evils needs. I wonder if there are any apps that do that already.

The images below show: the embedded web view login (with the cross mark) and the intercepted username and password. The last image shows the native FB login provided by the Facebook Android App.

If you are interested in reproducing this, apply this diff to your FB SDK WebDialog.java and you will be pretty amused.

An Embedded Web View OAuth Sign in procedure

Web Login

Injecting Javascript results in this:

WebView Hack

Actual Android Login is supposed to look this:

Native Login