Wednesday, February 23, 2011

Facebook Android app, Google Calendar App, Not Secure,

Facebook's Android app, Google Calendar App, Not Secure,
Facebook and Google Calendar Apps, running on Android OS fail to encrypt data sent to and from respective servers. Please remember it is the app that is misbehaving not the Android OS
But before jumping into conclusions based on sensationalism like The did, here are the facts the team, Freedom to tinker, found. Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform. The real facts are;

  • Google properly encrypts traffic to Gmail and Google Voice, but they don't encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
  • Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn't really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
  • Facebook does everything in the clear, much like Twitter. My Facebook account's web settings specify full-time encrypted traffic, but this apparently isn't honored or supported by Facebook's Android app. Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook's server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.
  • The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn't have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser. (Got to love the Angry Birds Birthday Cake!)
  • Another game I tried, Galcon, had no network activity whatsoever. Good for them.
  • SoundHound and ShopSaavy transmit your fine GPS coordinates whenever you make a request to them. One of the students typed the coordinates into Google Maps and they nailed me to the proper side of the building I was teaching in.
So read and use applications wisely. Hope Dan does the same with an iPhone,


Blog Widget by LinkWithin