Since the Cambridge Analytica debacle, Facebook has faced pressure from all corners to improve its security practices. In response, Facebook pared down the functionality of its Graph APITrack this API as well as the Instagram APITrack this API, doing so without warning and breaking numerous apps in the process. Now, one developer has petitioned Facebook to go even further in making the Instagram API more complete and secure.
Quique Osuna García has started a petition on change.org claiming that the “Instagram API is not complete or secure enough, consequently, this has caused developers to create new ways to use the service in their own applications, creating unsafe practices that motivate the storage of credentials (such as xAuth).” His argument is that the Instagram API is too restrictive and as a result is causing many developers to find workarounds that compromise the security of private user data.
According to García, developers cannot create new applications on the Instagram platform without the use of the Facebook API, but that API only works for Instagram users with an enterprise account. The result is that instead of using OAuth as a standard for authentication, a number of apps are choosing to implement xAuth which then stores usernames and passwords. This user data gets stored in the app databases which third parties can access upon consent of a user. While the use of xAuth goes against Facebook’s Terms of Service, García claims that “dozens of applications in the Google Play Store and in the Apple App Store are using it without problems.”
The petition asks Facebook to create a more widely available API that institutes an oAuth workflow. This would allow for developers to not be required to bear the cost of an enterprise account while still being able to use a widely accepted authorization approach. García is currently seeking 100 people to sign the petition.