facebook connect on iphone - security question

Question

I have a question regarding Facebook Connect's security model. How hard would it be for a hacker to write an iPhone app which uses FB Connect, but also captures the username / password that is entered by a user on the FB Connect login dialog box? From what I can think of, one could look at the UITextField in the UIWindow and be able to capture the text entered. Or, even more subtle, replace the keyboard keys with your own buttons that look exactly like the iPhone keyboard, but the keys pressed are processed by the app. Or capturing the location of the touches (when keyboard is up) and guessing which keys were pressed.

Any thoughts?

Answer 1

Since the Facebook connect source code is freely available, modifying it and fooling the user actually shouldn't be that hard.

Looking at the source code, the login/password are coming from a web view. So, you simply direct the user to your own fake url the first time, notify them that they entered the wrong password, and then send them to the right url the second time. Unless they are monitoring their connection, the user can't tell what has happened.

Answer 2

Writing an app that would fool the user to get his FaceBook password would be really easy.
Have this application stay on the AppStore once the developer start to use the passwords for nefarious purposes would be harder.