Facebook is using a “Quick Tips” right sidebar module to educate users on the extended permissions system and direct them to the App settings dashboard where they can manage the permissions they’ve granted to apps. With the title “Understand the Apps You Use”, the module may be designed to reduce the occurrence of users granting permissions to unscrupulous developers in the wake of a small data leak that gave access to unauthorized third-parties.
Last week, a threat was revealed that caused user data access authentication tokens to be transmitted in unsecure HTTP Referrer Headers. This could allow ad networks and other unauthorized partners of authorized developers to steal user data.
Facebook responded by accelerating its app security roadmap such that all apps would be required to use the secure transfer protocol OAuth 2.0 by September 1st, and attain an SSL certificate by October 1st. It also notified developers suspected of leaking data to improve security of their apps or risk suspension. This caused some confusion, as not all developers who received the email warning exhibited data leaks.
To round out this pursuit of improved security, Facebook now looks to be expanding its user education efforts. The Quick Tips sidebar module appears occasionally to users while they surf the site, similar to established social modules such as People You May Know, as well as newer modules such as Previous Status Updates (formerly titled Memorable Stories) and Discover New Games.
The module reads “Apps on Facebook ask for permission to access your information before you use them. Take the time to understand them.” This addresses the issue that users have become conditioned to clicking through the app permissions without properly reading them or vetting the app.
Clicking within the module takes users to the Apps You Use section of the App, Games, and Websites Settings dashboard that Facebook launched in October to improve management of given permissions. There users can see which apps they’ve authorized, when an app last accessed their data, what permissions they’ve granted each app, and options to revoke permissions or remove apps. However, little user-facing outreach for the dashboard has been done to date, so some app users may not even realize they have these options.
While the dashboard explains its functionality, there’s little explanation about why careful assessment of an app’s reputation and requested permissions is important. Facebook’s recently launched cross-site scripting and clickjacking prevention security measures do a much better job of informing users how to take security into their own hands.
This Quick Tips module points users in the right direction, but Facebook novices that are most vulnerable to the few malicious developers on the Platform may need deeper instruction on why critical thinking about installing an app can protect them, their friends, and the Facebook community at large.
[Thanks to Brittany Darwell for the tip]