What Are Facebook’s Whitehat Settings and How Can You Enable Them?

facebook-users-people-diversity1-ss-1920 (1)
Facebook has just announced Whitehat Settings for its Android apps. Learn about what they are and how to use them.

If you think Mark Zuckerberg was kidding when he discussed the company’s new “serious” direction with regard to privacy, think again.

Despite another misstep while handling user passwords, Facebook has just taken a welcome step towards helping the white hat community uncover bugs and security flaws in Facebook apps.

Facebook has announced a new “Whitehat Settings” option for Instagram, Messenger and Facebook Android apps.

The new settings will enable ethical hackers to turn off the Certificate Pinning mechanism. It will essentially bypass the security measures responsible for ensuring that the data traffic between the Facebook client app and Facebook servers is encrypted and unreadable. This will, in turn, give them the ability to watch and analyze traffic for security flaws.

Facebook has taken this step in response to feedback from its white hat researchers who found it difficult to test the Facebook apps for possible server-side bugs and vulnerabilities.

Certificate Pinning

Certificate Pinning is a technique used to secure communication between users in a hostile or insecure environment. Although security measures may have been taken care of at the server end, communication following well-known protocols may be intercepted and hacked into.

Therefore the pinning technique associates a service certificate with the host. Communication is encrypted already between the server and the user, but certificate pinning takes it a step further, encrypting with a key combination that is unique to the user and the server.

The advantage of the new Whitehat settings offered by Facebook is that when a user disables the certificate pinning mechanism, it only affects that particular account. The disadvantage is that although it makes it easier to view the traffic and hunt for new bugs, the account is essentially vulnerable and prone to attacks while the settings are on.

It is best that once testing is done, the setting is turned off and disabled ASAP.

The option to disable certificate pinning is only available for the Android apps and can be activated for the following:

  1. Facebook App
  2. Messenger App (the instant messaging Facebook client app)
  3. Instagram App

So if you have ethical hacker genes in you, or maybe just want to see how it works, then follow the guide below on how to activate the settings for your account.

Whitehat Settings

Turning on the Whitehat Settings is a two-stage process. First, you need to visit the Facebook settings page for your account and enable the settings. Once that is done, you have the option available in the app to turn them on and off.

Stage 1 – Enabling the Settings – Web UI

Enabling the Settings – Web UI

Facebook Web UI

  1. Navigate to the Facebook Whitehat Researcher Settings
  2. Once here, you will see that there are further options available to accept user installed certificates on your account or a test account.
  3. Check the option according to your needs.
  4. Once you have checked one or both of the options, click on the drop-down menu to reveal the available options for Facebook, Messenger and Instagram. Select the App you want to enable these options for.

Each time you check your required option, the page will process and then display an acknowledgment message that the particular option is activated.

Once these options are available, the next step is to activate them in your chosen app.

Stage 2 – Using the Settings

The steps to activate the Whitehat Settings on all of the three apps are similar with just minor differences. There are three options available in the settings. These are:

–        Enable Proxy for Platform API Requests:

This option is for the built-in Facebook proxy for API requests and is available for the Facebook App only.

–        Allow User Installed Certificates:

As the name suggests, this is to allow user installed certificates.

–        Do Not Use TLS 1.3:

Turning this on turns off the TLS 1.3 support and enables you to work with proxies that support TLS versions up to 1.2.

Turn on the Settings for Facebook App

Turn on the Settings for Facebook App

Facebook App

  1. Open up the Facebook app.
  2. Change your account to the test one if you have one. If not then continue with your regular account.
  3. Go to the Bookmark menu and then to Settings and Privacy
  4. Select Whitehat Settings.
  5. Configure the following set of options as per your preferences:
    1. Enable proxy for Platform API requests – Configure.
    2. Allow user installed certificates – enable/disable.
    3. Do not use TLS 1.3 – enable/disable.
  6. Once you have set it up, exit the app and then open it again.

Facebook app restarted to show alarm on top

Facebook app restarted to show alarm on top

When opening the app now, you will notice a small banner alarming you that the network traffic is being monitored (by you of course) and that the network testing is available.

Turn on the Settings for Messenger App

  1. Open up the Messenger
  2. Change your account to the test account if you have one.
  3. Tap your Profile Picture to access Profile settings.
  4. Here you will see the Whitehat Settings. Click/tap it.
  5. Configure the following set of options as per your need
    1. Allow user installed certificates – enable/disable.
    2. Do not use TLS 1.3 – enable/disable.
  6. Once you have set it up, exit the app and then open it again.

Once again, when opening the app now, you will notice a small banner alarming you that the network traffic is being monitored (by you of course) and that the network testing is available.

Turn on the Settings for the Instagram App

To turn on the settings on the Instagram app and test it, you need to first link both your Instagram and Facebook profiles together. Click here to learn how to do that.

Once that is done, follow the steps below to activate the Whitehat settings.

  • Open up the Instagram
  • Change your account to the test account if you have one.
  • Tap your Profile Picture to access Profile settings and then tap/click the Bookmark
  • Select Settings, then Internal, then Whitehat Settings.
  • Configure the following set of options as per your preferences:
    • Allow user installed certificates – enable/disable.
    • Do not use TLS 1.3 – enable/disable.
  • Once you have set it up, exit the app and then open it again.

The banner notifying you of your tracking will appear once again.

If by some chance, the settings are still not available in any of your apps then Facebook recommends signing out from the problem app, closing it, restarting it and then signing in again. This should fetch the new configuration and display the newly enabled settings. It is recommended that you follow this process every time you change the options set in Facebook web UI.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.