Feeds

Security shocker: Android apps send private data in clear

Facebook's persistent SSL isn't

3 Big data security analytics techniques

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users' privacy, a computer scientist says.

In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform. What he saw surprised him.

The official Facebook app, for instance, transmitted everything except for the password in the clear, Wallach blogged on Tuesday. This meant that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook's recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks.

“People for right or wrong treat Facebook as something that's more personal and private,” Wallach told The Reg. “With Facebook, we never saw a password going back and forth, but there was unencrypted traffic, which is interesting because I've set my Facebook web client to use their new SSL-all-the-time feature. But that does't reflect onto the Facebook app on Android.”

A Facebook spokesman said: “After launching SSL for the site we are still testing across all Facebook platforms, and hope to provide it as an option for our mobile users in the coming months.” The company warns users to exercise caution when using unsecured Wi-Fi networks, but as far as we can tell, Facebook has never explicitly said its smartphone app fails to encrypt traffic.

Google Calendar showed a similar carelessness in Wallach's experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks.

A Google spokesman said in an email: “We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release. When possible, we recommend using encrypted WiFi networks.” He didn't say how long users would have to wait.

Wallach found a few other apps that took a cavalier approach to user privacy. The SoundHound song-recognition app, for instance, transmits the user's GPS coordinates down to the street block to the service each time a request is made, even though the app works just fine without that information. A service called ShopSaavy tracks the same details, but at least with that app, the argument can be made that the user's physical location is relevant to the service.

None of the apps Wallach tested transmitted passwords in the clear.

Shortly after Wallach published his findings, F-Secure researcher Sean Sullivan blogged about yet another shortcoming in Facebook's SSL offerings. Based on his experiences, it appears rogue Facebook apps can disable the feature. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.