To help the whitehat hackers easily test the security of its homegrown mobile apps, Facebook has launched a new feature called Whitehat Settings. This setting is applicable for Facebook, Instagram, and Messenger apps for Android; it’s currently unavailable for iOS platform.
The company expects that whitehat hackers will use this feature on their accounts to hunt bug bounties. The company further advises to keep these settings turned off when not testing the traffic for vulnerabilities.
How to enable Facebook ‘Whitehat Settings’?
To enable the Whitehat Settings, you need to visit Facebook’s web interface and open this link.
Now choose the settings that you want to enable — for instance, the installed CAs (Certificate Authorities) for your accounts. Further, you need to select the apps (Facebook, Instagram, Messenger ) that you wish to test.
Once you’re done with the web interface, sign out of your Facebook mobile app and sign in again to make sure that that the new settings show up in the Settings section of your apps.
Talking specifically about Facebook, you get an option to force the apps to use TLS 1.2, which is supported by proxies like Burp. Further, you can also make Facebook trust the CAs installed by you.
Once you’re done and you reopen the app, Facebook will enable all the selected options and display a Network testing mode banner at the top.
With the implementation of newer security mechanisms like Certificate Pinning, it becomes harder for the Whitehat hackers to test the apps for server-side flaws. The security researchers will surely welcome this step taken by the blue social network as it will allow them to check the apps more efficiently.