iOS 6 Security: Facebook, Twitter and Advertising
iOS 6 is tightly integrated with social networks. Under Settings in iOS 6, there are sections specifically dedicated to Twitter and Facebook.
Apple developers now have access to a new Social Framework that allows a programmatic and scalable way to tightly integrate user experience in applications, with common social activities, such as posting messages and pictures on social sites.
iOS 6 provides application developers OAuth based APIs for social. This is well in line with the direction first set out by Twitter, which mandated the use of 3rd party access with OAuth since August of 2010.
When using Twitter with iOS 6, a user must first enter their credentials within the settings. From a security perspective this initially breaks the OAuth concept,however, from iOS 6 and forward, iOS will control social access apps.
Figure 1 Initial Twitter Account Setup
Any application that is using the new Social Framework API, can request access to Twitter or Facebook. For example, the HootSuite application is requesting access to Twitter Accounts. A user can (and must) answer, “Don’t Allow” or “OK.”
Users can control access settings in two areas, either Settings::Twitter, or Settings::Privacy::Twitter.
When an application no longer warrants access to Twitter, you simply toggle the switch to off. When an application is uninstalled or removed, the option to control settings is no longer available. However, iOS 6 remembers initial access control settings for each application. If you initially granted access to an application (i.e., Flipboard), then removed it, but reinstalled it again, it (Flipboard) would retain access to your Twitter account (Caveat emptor).
You can list all the 3rd party Twitter applications granted within Twitter’s online settings https://twitter.com/settings/applications. If you lose your phone and are concerned about someone tweeting from it, you can revoke all iOS applications from using twitter, but logging into https://twitter.com/settings/applications and revoke access to “iOS by Apple”
Facebook integration with iOS ties with iOS Contacts and Calendar access.
You can disable this within Facebok settings, or additionally in Privacy for Contacts and Calendar.
Each application that attempts to access your Facebook information will detail what information is needed.
A new tracking identifier was added within iOS 6. This identifier is slated to replace the unique device ID (UDID), which identifies a specific device. Application developers that are adhering to Do No Track settings will enforce the Limit Ad Tracking setting on iOS. However, currently this is not enforced by the platform, but rather enforced by each app developer. To limit advertising tracking, users navigate to Settings::General::About::Advertising (at the very bottom).
Mikhael Felker is an IT pro who has worked in Defense, Healthcare, High-Tech and Non-Profits. He teaches, writes, and speaks at numerous Southern California venues about technology.
See here to check out all his Tom's IT Pro articles.