1

I am trying to understanding how the authentication of fb happens on mobile devices(ios/android)?

only for the first time when i installed the fb app, i entered the username/pwd. Thats it. from next time onwards, it will auto authenticate itself.

1) Does the fb mobile app stores the username/pwd on the device in any file? 2) will it use oauth or similar token mechanism? if so, where does the token stored on the device.

I guess, my question is, in which memory/path/filename it is stored, so that it is secured and cannot be accessed by other apps/root users.

Thanks much

Srinivas KK
  • 151
  • 3
  • 12

1 Answers1

0

That's a good question.

It's dangerous to store a user's password in a standard local directory on a device, for the obvious reason that if the phone is compromised a hacker may have access to a password that is likely shared between accounts (do you have a different password for every service you use?).

However, storing a username to the device's default storage is not-so-problematic, and that is generally the method of choice. For iOS this would be NSUserDefaults.

Now, in the case of passwords and tokens (which are certainly necessary and FB would not cut corners on having token-based auth), both being secure contents that ought to be protected, they are generally stored in some sort of encrypted keychain. In the case of iOS, 256-bit encryption by virtue of Keychain Services.

Therefore, when you build an application with auto-login you retrieve the password and token from the keychain on load. However, if the device were to be lost and end up in the wrong hands all of this data would be encrypted and inaccessible.

Of course, let's not pretend this method is fool-proof: http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/.

EDIT: Although my background is iOS, I am aware that Android uses Keystore as their alternative.

https://developer.android.com/training/articles/keystore.html

Faris Sbahi
  • 646
  • 7
  • 15
  • I thought, keychain services on ios are secure, but after seeing your link i am giving a second thought about it. how about on android app, where exactly the password/token details can be stored to be secured(equivalent of keychain). – Srinivas KK Aug 16 '16 at 23:26
  • @SrinivasKK I agree, it is concerning. See my edit for Android. – Faris Sbahi Aug 16 '16 at 23:33
  • I just did a test on my wife's android device. I went to settings-> application manager -> facebook -> clear data. Now i opened the fb app and i got the login screen with user id prepopulated. I think, the pwd was stored in some file or keystore which was cleared. I dont know how to do clear the data on my iphone. any thoughts/inputs? thanks for the answers and also for the edit on android – Srinivas KK Aug 16 '16 at 23:43
  • That's a good question and I'll explain why. It turns out that there's no way to clear the keychain from a user's device on iOS. However, of course it's vitally important at times when building software. Therefore, my method is adding a line of script to my app which clears the associated keychain, run it on the device, then comment out the script and run the app again per usual. – Faris Sbahi Aug 16 '16 at 23:52
  • 1
    That explains how to remove a keychain by a developer. thats fine. will you be able to put your expertise on this thread too if you can: http://stackoverflow.com/a/38776438/6669772 appreciate your knowledge and help. – Srinivas KK Aug 17 '16 at 00:15
  • Take a look at my input that I added to the thread. Feel free to ask any more questions that you have. – Faris Sbahi Aug 17 '16 at 00:49
  • @SrinivasKK I've edited my answer on that thread as a response. – Faris Sbahi Aug 17 '16 at 03:59
  • thanks very much. your latest edit's explain the process very clearly. I am trying to put all the pieces together in a flow document. will let you know once it is done for your feedback. thanks much, have a good night – Srinivas KK Aug 17 '16 at 08:09
  • @SrinivasKK No problem, glad I could help. Feel free to formally accept my answer on SE. :wink: – Faris Sbahi Aug 17 '16 at 16:33