Facebook adds ‘Whitehat Settings’ to help security analysts study suspicious traffic

• This new option is now available on Android apps of Facebook, Messenger, and Instagram.
• It is mainly designed to allow analysis of traffic on these mobile apps.

On Friday last week, Facebook released a new security feature as part of its measures to boost security on mobile platforms. The new ‘Whitehat Settings’ are designed for security researchers to inspect traffic on mobile apps of Facebook, Messenger, and Instagram.

The social media company wants ‘white hat’ researchers to take part in identifying vulnerabilities in the platform despite facing flak for security and privacy issues.

What does the feature entail?

• ‘Whitehat settings’ focuses on a security mechanism known as Certificate Pinning. This mechanism safeguards Internet traffic from Facebook’s mobile apps against malicious activities such as sniffing.
• Certificate Pinning can now be disabled by researchers to analyze traffic and detect any server-side security anomalies.
• ‘Whitehat settings’ also contain sub-options such as enabling proxy for Platform API requests, provision for allowing user-installed Certificate Authorities(CA) & turning off TLS 1.3 for certain proxies.
• In order to access ‘Whitehat settings’ on the mobile apps, it has to be enabled through the web version of Facebook.

Improving security mechanisms

Although the introduction of this new option can provide easy access to the network traffic from Facebook, it is intended to give a clear picture of its security rather than exploiting it.

“These mechanisms are designed to raise the barrier of entry for an attacker seeking to break the integrity and confidentiality of the traffic sent from the client (user device) to the server (Facebook's infrastructure). These measures enhance the security of the data in transit, but they also make it harder for our Whitehat researchers to test our mobile apps for server-side security vulnerabilities as was highlighted by our Whitehat survey,” Facebook emphasized.

Overall, security researchers can now uncover bugs in the Facebook in an easier way from now on.