Security has always been a major issue on mobile platforms. iOS is great but also it is prone to security breaches and malwares on iOS have increased significantly. Recently, security researcher and mobile app developer Gareth Wright discovered a flaw in Facebook iOS app that can allow hackers to steal Facebook login passwords from the device. But how does it do that?

Facebook stores application data in plain text form in a plist file located within Facebook application directory on the device. The file contains Facebook authorization key in unencrypted form. So, getting access to the plist files means getting access to user's Facebook account.

Gareth Wright has shown that the hack works. However, it is yet unknown whether this flaw is present on Android devices or not. Reportedly, Android OS is more bug-friendly than iOS. So, possibility is high that this security flaw exists on Android devices too.

However, according to Facebook, the exploit cannot work until the device is jailbroken. Modifications are responsible for exposing confidential data.

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues," said a Facebook spokesperson in an official statement.

Facebook said that this only works on jailbroken device, but Gareth Wright is not willing to accept it. According to the security researcher, the exploit works on all iOS devices unchanged of the fact that whether the device is jailbroken or not.

"I feel I should reiterate, Facebook are playing this down and that's fine, but saying it only effects stolen and jailbroken phones is not. The biggest risk is from malware and viruses designed to slurp data from devices plugged into PC's, so despite what any other articles say; jailbroken or not you ARE vulnerable!," he said. "When tested this worked on locked passcoded unmodified iOS Devices."

(reported by Johnny Wills, edited by Surojit Chatterjee)