Getting Facebook account blocked due to phishing while using Frost? Here's what you should know

Let me clarify this first: I’m not a Facebook person. I am part of a minority user group that are not targeted by smartphone makers who love to preinstall Facebook in their phones (*cough* Samsung *cough*). A whole phone designed by Facebook, tailor-made for the social media – worst possible nightmare!

Keeping aside all those data harvesting and privacy related issues, the official Facebook Android app itself is the perfect example of poor engineering. Not only the app is extremely bloated, but they also force you to install another cumbersome app to use the instant messaging functionality.

Do you know the primary Facebook app does contain most of the components needed to run Messenger inside it? It is possible to unlock those features, but the social media giant is continuously obfuscating the codebase to make such mods harder.

While Facebook Lite is a solution to avoid those bulky and resource-intensive apps, regular Facebook users find it extremely simple (!). To bridge the gap between swiftness and customizability, a number of developers released third party Facebook clients such as Phoenix, Folio and Swift.

These apps are nothing but a fancy way to access the regular web interface of Facebook. Besides those freemium apps, Frost for Facebook is yet another noteworthy app in this domain which is completely free and open source. However, Facebook is allegedly blocking users who are using Frost instead of the official app.

My account was blocked today due to suspicious activity. I had to create a new password and check my recent activity. I have been using Frost on at least two Android devices, as well as normal browser on my computer via Firefox.

(Source)

Yep. Happened to me. Can confirm. Then they make you verify your identity by identifying your friends in some photos. I honestly feel like they’re doing it to train their machine learning for photos..

(Source)

This is not the first time Frost comes under the radar. Back in 2018, the app was removed from Google Play Store due to “…violations of forwarding traffic to a particular site (m.facebook.com)”. But the situation is little bit different in this case, as the end users are randomly harassed for a baseless reason.

Platforms like the XDA support thread, reddit and GitHub issue tracker are getting flooded with such user reports. Allan Wang, the developer of the app, explored different possibilities behind the selective crackdown, but no concrete solution has been found yet.

It seems like some time within the past month, Facebook became more restrictive towards user agents. Switching agents with the same authentication and executing some post request (eg commenting) would trigger a phishing warning, and would require identification + a password reset. This is still speculation, but with all the reports I’ve been given, I am reasonably confident that this is the problem.

As a temporary bypass method, Allan released a new version of Frost (v2.3.2) with enforced Facebook desktop user-agent. There are some obvious shortcomings though, as you can not achieve a unique device specific fingerprint in your session activity.

He also criticized Facebook for not giving third party client devs a clean and secure API to authenticate your account. The current method has several critical vulnerabilities, but hey! It’s Facebook!

For further discussion, take a look at the reddit thread posted by Allan under r/Android. If you are willing to share bug reports or highlight more technical issues, feel free to join here.

Follow @PiunikaWeb

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.