Facebook introduces “Whitehat Settings” feature to help bug hunters analyze traffic in its mobile apps

Facebook last week added a new “Whitehat Settings” feature that allows bug hunters to easily pentest the security of Facebook, Messenger and Instagram applications for Android. This feature allows security researchers to bypass Facebook’s Certificate Pinning security measure.

For those unaware, Certificate Pinning is designed to ensure the security of data transmission of Facebook users and avoid them from being victims of network-based attacks by automatically rejecting website links that use fake SSL credentials. Since almost all Facebook-owned apps by default use Certificate Pinning, it made it difficult for Whitehat researchers to test Facebook-owned mobile apps for server-side security vulnerabilities.

With the introduction of the new option, researchers can now easily bypass Certificate Pinning on the Facebook-owned mobile apps like Facebook’s main app, its Messenger instant messaging client, and the Instagram app by:

  • Disabling Facebook’s TLS 1.3 support
  • Enabling proxy for Platform API requests (applies to Facebook on Android only)
  • Using user-installed certificates for easier traffic interception

“Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2,” Facebook says. “These settings are configured in two places. The first is via the Web UI and the second is via the app UI. In other words, to access these settings from your mobile device, you must first enabled them from your Facebook account through the Web,” Facebook notes.

The new feature will allow Whitehat bug hunters to analyze network traffic related to the Facebook, Messenger and Instagram applications when searching for vulnerabilities and report them through the company’s bug bounty program.

If you wish to take advantage of the “Whitehat Settings” feature, you can do so by visiting Facebook’s Settings Page. You can also find additional details and video tutorials on this Support Page.

The social media giant also recommends Whitehat bug hunters to turn off the settings when not testing Facebook’s website to find security vulnerabilities.

Currently, the Whitehat Settings feature is supported only on Facebook’s Android apps, and not on iOS platform.