Feeds

Security shocker: Android apps send private data in clear

Facebook's persistent SSL isn't

SANS - Survey on application security programs

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users' privacy, a computer scientist says.

In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform. What he saw surprised him.

The official Facebook app, for instance, transmitted everything except for the password in the clear, Wallach blogged on Tuesday. This meant that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook's recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks.

“People for right or wrong treat Facebook as something that's more personal and private,” Wallach told The Reg. “With Facebook, we never saw a password going back and forth, but there was unencrypted traffic, which is interesting because I've set my Facebook web client to use their new SSL-all-the-time feature. But that does't reflect onto the Facebook app on Android.”

A Facebook spokesman said: “After launching SSL for the site we are still testing across all Facebook platforms, and hope to provide it as an option for our mobile users in the coming months.” The company warns users to exercise caution when using unsecured Wi-Fi networks, but as far as we can tell, Facebook has never explicitly said its smartphone app fails to encrypt traffic.

Google Calendar showed a similar carelessness in Wallach's experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks.

A Google spokesman said in an email: “We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release. When possible, we recommend using encrypted WiFi networks.” He didn't say how long users would have to wait.

Wallach found a few other apps that took a cavalier approach to user privacy. The SoundHound song-recognition app, for instance, transmits the user's GPS coordinates down to the street block to the service each time a request is made, even though the app works just fine without that information. A service called ShopSaavy tracks the same details, but at least with that app, the argument can be made that the user's physical location is relevant to the service.

None of the apps Wallach tested transmitted passwords in the clear.

Shortly after Wallach published his findings, F-Secure researcher Sean Sullivan blogged about yet another shortcoming in Facebook's SSL offerings. Based on his experiences, it appears rogue Facebook apps can disable the feature. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.