- Managing Facebook security and privacy is difficult from a mobile phone
- MobileActive releases a guide to mobile security on the social network
- Guide says it may be safer to use Facebook's mobile site than its app
- Wi-Fi connections may present their own security concerns
Configuring your Facebook settings from a laptop is confusing enough, but try monitoring your Facebook privacy and security setting on a mobile phone. It's even more of a mess.
There's some help on the way, however. On Tuesday, the nonprofit group MobileActive published its list of tips for using mobile Facebook more safely.
About one-third of Facebook's 750 million active users worldwide access the service via mobile phones.
MobileActive's mobile Facebook guide is written with activists in mind (especially in light of the key role that Facebook played in many Arab Spring uprisings), but it's useful for any Facebook user.
Some Facebook-related mobile security risks have to do with how you use Facebook in general. Others relate to how your phone and its various mobile communication channels handle security when you're using a Wi-Fi connection rather than your carrier's data network.
For instance, many people set their phone to use a Wi-Fi connection whenever possible, in order to curb their data usage, which can get expensive. If you use Wi-Fi on your phone, depending on how your mobile browser or Facebook app handles security, someone might snoop on your login credentials ("sidejacking") and use them to impersonate you on Facebook. They could even lock you out of your own account.
Sidejacking is a Wi-Fi-related risk for many online services, not just Facebook. The main way you can protect yourself is to always use a secure connection (URLs that begin with "https" rather than "http") when logging in to an online account from any device, including your phone.
You can configure your Facebook account to always use "https." However, MobileActive cautions: "Be aware that this setting is not applied when browsing from a phone! You may also notice that some applications warn you that you cannot access them using HTTPS. If you use such applications, be aware that they may turn the 'always use HTTPS' setting off -- you will need to go back into your account settings and turn it back on every time."
So this means that using Facebook's mobile website could be more secure than using a Facebook app -- when you're on Wi-Fi. And the same would be true for Twitter, Tumblr and other services.
It's a good idea to bookmark the mobile websites for the services you use -- the URL versions that start with "https," of course -- on your phone's browser. Then use those sites (rather than service-specific apps) when accessing them over an open or shared Wi-Fi network.
Also, check that your mobile browser really can make a secure Web connection. MobileActive notes that some older or more primitive browsers (probably including many browsers that come pre-installed on feature phones) may revert the connection to "http," which is not secure. So once you've tried to access a site using "https," after the page loads, double-check the location bar in your browser to make sure it still says "https."
If you prefer to use Facebook apps, it's safer to turn off Wi-Fi access on your phone while you're using them. Your carrier's data connection is more secure. This is especially important if you use your Facebook account to log in to additional sites, via the Facebook Connect service; it would be bad enough just getting your Facebook account hacked, let alone everything else you've connected that account to.
MobileActive also notes that Facebook provides extra options to help you control which devices can access your account.
"Log-in notifications warns you every time your account is accessed from a new device (both computers and phones). Log-in Approvals takes things a step further by requiring you to enter a code sent to your mobile phone every time you access the site from a new device. And in the U.S., Facebook users can send a text message to a predefined number to request a one-time password."
MobileActive's guide did not address third-party services (such as PicPlz) that can be used to post photos or video to Facebook, Foursquare and other services. But in general, if you use these tools, be aware of the various audiences and level of privacy each service affords. Before you upload a photo, make sure it's getting cross-posted only to the services you wish to use.