Today in APIs: Facebook SDK Security, Gnip Goes to China and Amazon In App Purchases

Adam DuVander
Apr. 10 2012, 03:57PM EDT

Backend-as-a-service company Parse found a vulnerability in Facebook's Android SDK that allowed apps to masquerade as users. Gnip has added to its network of social streams by partnering with the Twitter of China. Plus: Amazon in app purchases, an API for summer jobs and APIs to improve mobile performance.

Facebook's Android SDK: Tokens Exposed

You may remember Parse as the apply via API company. Now the company has helped the world's largest social network figure out a huge problem in its Android SDK. Every app using Facebook on Android was potentially sharing private access tokens with any other app on the device.

Parse has a great run-down of the discovery, reporting and the fix:

In plain text, I could see the entire access token that had just been granted after logging in, encoded into a URL.

It wasn't immediately apparent to me that this was a problem. After all, this was coming from code that my app was running. As long as I was the only one who could see it, no harm was done. But I knew that logcat was essentially a public diagnostic bulletin board for Android applications, so I tried running a few other apps that use the Facebook SDK - big apps from developers like Foursquare, Zynga, and Sony - and observed that they also printed this line after I logged in.

Major Facebook apps, such as those mentioned in the Parse post, have already been updated. Oh, and naturally, Parse incorporated the updates into its platform, too.

Update -- a statement from Facebook:

We applaud the security researchers who brought this bug to our attention for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it and get an updated SDK in the hands of developers without it being exploited. Users are only vulnerable if they have a previously installed malicious application on their system that they have granted the "Read Sensitive Log Data" extended permission. Users can protect themselves by downloading the latest version of their applications and uninstalling any untrustworthy apps. Due to the responsible reporting of this issue to Facebook, no one within the security community has evidence of an application abusing this vulnerability. We have provided a bounty to the team to thank them for their contribution to Facebook Security.

Gnip Now Includes Weibo Data

Customers of the Gnip API can access messages from China's largest microblogging site, according to a company announcement:

If you’re a large retail chain and people are talking about your brand, you want to know that immediately. But what if your brand is being talked about in Chinese on the largest microblogging service in China with 300 million members? For large Western brands with a presence in China, understanding what is happening on Sina Weibo is just as important as understanding any social media channel in English speaking locales.

There's also a Sina Weibo API that is one of 20 Chinese APIs in our directory.

Amazon Adds In App Purchases to Its App Store

The Amazon App Store was built to support its Kindle Fire, which is built on top of Android. But any Android device can use it and now any Android app can use Amazon's In App Purchase API, the company announced.

SlideToPlay says the Amazon store, with its "1 Click" purchases, could bring developers higher rates of conversion and more money.

API News You Shouldn't Miss

Anything else? Add it in the comments.

Adam DuVander Hi! I'm Developer Communications Director for SendGrid and former Executive Editor of ProgrammableWeb. I currently serve as a Contributing Editor. If you have API news, or are interested in writing for ProgrammableWeb, please contact editor@programmableweb.com Though I'm a fan of anything API-related, my particular interest is in mapping. I've published a how-to book, Map Scripting 101, to get anyone started making maps on websites. In a not-so-distant past life I wrote for Wired and Webmonkey.

Comments