Facebook Ups Application Security with Roles, Whitelists, and Notifications

Facebook today introduced new security features and a roles system to help developers prevent unauthorized changes to their applications. Developers can set up IP address whitelists for making requests or setting changes to their apps, receive email notifications of changes, and use an access control model to establish which privileges each of their team members has.

The application security announcement follows yesterday’s revamp of user security. As applications can touch tens of millions of users, preventing their control from falling into the wrong hands is essential to making users feel comfortable trying new apps as well as attracting developers to the Platform.

Application Roles

Developers can now access a Manage Users section in the About tab of the Developer application. It can help them minimize the impact of having a team member’s account hacked. The panel allows them to assign friends with one of the four following roles:

Administrator: Complete access to all settings and insights, including the abilities to reset the application secret key, delete the application, and choose the roles of others. Only the most trusted team members who need total control should be set as administrators. Anyone with application access from before the implementation of the roles system will start as an Administrator by default.

Developer: Access to all technical settings and insights, except they can not reset the app’s secret key, delete the app, or modify roles. The typical development team member should be given this role.

Tester: Ability to test the app in sandbox mode. They have no access to settings or insights. Users assisting with play testing and bug detection should be appointed to this role.

Insights User: Ability to view performance metrics on the application’s Insights dashboard, but no sandbox or settings access. Third-party marketing partners, consultants, and PR should be assigned as Insights Users.

Whitelists and Email Notifications

In the Advanced tab of the Developer application, those with the Administrator or Developer roles can use a new Security panel. If they choose to add IP addresses to the Server Whitelist or Update Settings IP Whitelist, requests and settings changes will only be able to be made from these addresses.

If developers always modify or test their app from an office or specific set of computers, these whitelists can protect their apps from outside meddling. However, in the case of a server crash, weekend emergency or similar urgent need to access the app’s settings, the whitelists can prevent the legitimate owners from making changes from the nearest computer.

The Update Notification Email field allows developers to specify an address that will be pinged whenever changes to the app are made. This can keep development teams aware of each other’s work, or let independent developers know if someone else has gained unauthorized access.