I've been Hacking Draw Something:
one plus one
Shared publicly•View activity
- Very cool. The facebook oauth key you found is probably unencrypted, but the question is whether other apps running can access it. I believe you found the same token as this person who you link to http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft
Another major hole was present until recently in the Facebook API for the android system, where the API echoed the key into the system debug console, from which it can be easily harvested http://blog.parse.com/2012/04/10/discovering-a-major-security-hole-in-facebooks-android-sdk/Apr 12, 2012
- On jailbroken systems it is indeed accessible, but not easily, as one has to have the path to the app directory which is a generated GUID.
On non-JB'd, you're safe so long as you don't attach it to someone else's computer.Apr 15, 2012