back to article Security shocker: Android apps send private data in clear

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users' privacy, a computer scientist says. In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a …

COMMENTS

This topic is closed for new posts.
  1. The Grump
    Gates Halo

    Droid doesn't

    Another reason to hate the Droid.

    Crappy, buggy apps. Crap support for flash based websites. No animated gif support. No usb tethering for laptop use of Droid's internet connection. No Microsoft app support. No web security. Eats battery life quickly. And that's not even my full list of Droid annoyances. (Fantisizes about shooting Droid, beating Droid with club, crushing Droid with vise, impaling Droid on drill press, jumping up and down on remaining pieces, burning any pieces left, taking unburned residue and beating it some more. Yes, I hate my Droid and its Google OS that much).

    Bill Gates, because I'm running back to a Microsoft mobile phone OS, the moment my Verizon contract on my Droid runs out. Google is evil - EVIL - or at least incompetent to the point of unbelievability. Droid doesn't - it just wants you to think it does.

    1. Anonymous Coward
      FAIL

      Animated GIFs?

      Animated GIFs!? Oh I'm sorry did you really have a desperate urge to see the rotating skull on that kid's GeoCities page? Do you have such a longing for grainy 8-bit colour in your miniatures of amusing videos? Are you viewing this page on Netscape Navigator 1.22 or later?

    2. Richard 12 Silver badge

      Is that a troll?

      "Crappy buggy apps" - Who writes those apps? There's loads of crappy apps for Windows, OSX and Linux too. In the case of Windows, a lot of them were written by Microsoft - most weren't, of course.

      "Crap support for Flash" - It has *some* support for Flash. Win Mob 6.x and iOS don't have any support at all. I don't know whether WinPhone 7 does yet, though it's suppoaed to be coming.

      Every single one of your gripes also applies to Microsoft-based phones. The battery life one could only be fixed by Symbian - except of course that Nokia killed it.

      I really hate to tell you this, but if you switch to a Windows Mobile 6.x or a Windows Phone 7 phone, you'll hate it just as much. Maybe smartphones simply aren't for you.

    3. batfastad
      Jobs Horns

      Droid does

      ...have USB tethering. I'm typing this right now on the train with my laptop connected to my phone.

      US network operators pretty much always disable this feature to keep your data usage in check and force you to buy those idiotic mobile broadband dongle.

      Depends on handset as well I guess but HTC Desire here and it works fine.

      What does annoy me is the lack of Bluetooth tethering though.

      There's a wifi hotspot feature to share the internet connection, but that uses way more power on both my phone and laptop than bluetooth did on all my previous 3G phones from the last 6 years or so.

      Correct, there is no MS application support. So you can't currently run MS Powerpoint or MS Access on your Android phone.

      Complain to MS about that and maybe they'll develop a version for Android. Unlikely they'll hear you though. Otherwise stick to OpenDocument formats rather than MS and you'll be fine. For MS formats, there's all sorts in the Android Market to help as well.

      Animated gifs seem to work fine. Both in the picture viewer and the web browser.

      Battery life is a bit of an annoyance, I only get about 3-4 days from a charge. And I have internet/GPS/bluetooth/wifi turned off and only activate those when I need it.

      At first I thought you were joking but it appears you are serious. So enjoy your new windows mobile, best of luck!

    4. amonynous coward

      No animated GIFs?!?!!!?!

      No animated GIF support? Well I'll cancel my Android order right away then. It is of utmost importance that I have animated GIF support.

      Tell me, can Microsoft's new telephone support animated GIFs?

    5. frank ly
      Happy

      Be careful.....

      ...... I've heard that WinPho 7 doesn't have Google app support.

    6. Olof P
      Stop

      Must it be required?

      Tethering: blame the carriers. Battery life: like any smartphone, then. The others can in some part be blamed on Android, true.

    7. Doug Glass
      Go

      NIce try ...

      ... and be sure and tell monkey boy you posted it.

  2. Mike Green
    FAIL

    Surprise.....

    Both Apple and Google seem to be in the business of harvesting user's information as a matter of course, they really don't seem keen on keeping their user's data private from anyone else either, and this has put me off getting a so-called smart phone till they've had a little time to work at least the most obvious of their quirks out.

  3. Version 1.0 Silver badge
    Happy

    Possibly a bug?

    If it had just been affecting Facebook I'd have suspected it might be a feature.

  4. Jolyon Smith
    FAIL

    I learn something new every day...

    Today I learned that using an encrypted wireless network secures my data all the way back to the server I'm connected to ... and there I was thinking that it only secured traffic in the air, between my device and the local access point.

    But Google know better, it uh seems...

    --

    Google: We try not to get caught doing evil

    1. Just Thinking

      But surely

      If you have something in your calender you don't want other people to know about, you shouldn't be doing it?

      1. dotdavid
        FAIL

        @Just Thinking

        What, something like my holiday flight times, which I don't want people to know about because then they'd know when my house is nice and empty of people to interrupt a burglary?

    2. Anonymous Coward
      Anonymous Coward

      That's not what he said at all

      Security is about risk management. The biggest threat to you from eavesdropping arises on the local segment, particularly when that is wireless. Encrypting that segment reduces the threat: no one claimed it eliminated it altogether.

  5. Anonymous Coward
    Anonymous Coward

    soundhog subscription service

    Offered to music trivia hosts, at $20/event.

    Brilliant.

  6. A Non e-mouse Silver badge

    Security by design

    "We plan to begin encrypting traffic to Google Calendar on Android in a future maintenance release"

    In my experience, to be really effective, security has to be baked into an application's design from day one. Adding security as a bolt-on later on is never as effective.

  7. Jaap stoel
    FAIL

    Well here's your problem

    People regard facebook as private...

    Nuff said really but who in their right mind would think that something you post on facebook or hyves or any other social networking site is private? Its there for world+dog+direct marketers.

    1. maclovinz
      Happy

      Who?

      Stupid people.

      That's who.

  8. cirrus
    Megaphone

    Common practice for app developers

    Unfortunately it seems that using plain-text protocols is a common practice for mobile/smartphone application developers. While sniffing a few iPhone applications some time ago, I've discovered a number of them that even transmit the password in plain-text. The list (probably outdated now) can be found at: http://blog.0x0lab.org/2010/04/unsafe-iphone-applications/

  9. Anonymous Coward
    Joke

    Private investigator

    Woooop... now I can snoop on someone's phone in Starbucks to find out their GPS location at street level! Result

  10. JaitcH
    WTF?

    With Facebook it doesn't matter; it's so leaky now one more hole won't make a difference

    Facebook continues to spout more leaks than the dikes in Holland so one more won't make that much difference.

    Still it's surprising that Google let this one slip by.

  11. Ian McNee
    Stop

    “People for right or wrong treat Facebook as something that's more personal and private,”

    Meh...more fool them then.

    Obviously not good and needs to be fixed (especially for more significant apps like Google Calendar) but really, people need to take some responsibility for the how/where/what of their on-line activity.

  12. This post has been deleted by its author

  13. batfastad
    Jobs Horns

    Many sites

    Many sites, even when using them from a regular browser, only encrypt the user credentials stage and everything else is sent unencrypted.

    The reason is that it's computationally very (very very) expensive to encrypt all traffic on massive sites.

    Especially if there's large amounts of static media accessed by pages (images/js etc) that traffic would all have to be encrypted as well, otherwise users would get security warnings saying that the page contains unencrypted content etc.

    When signing in to ebay and Twitter in Firefox the user credentials and authentication stage is encrypted then the rest is plain text.

    Even if you try and force https on facebook, when I then go to messages the connection switches to plain http. When I go to twitter, everyone can see all my twits in plaintext.

    I am surprised about the Google applications though. When using those from a browser all activity appears to be forced over https.

    Surely this isn't Android's fault though?

    Surely the fault of the application developers or the server operators.

    As a developer of secure intranet applications, I believe it's the server operators' and developers' responsibility to ensure the security of the users session. It's easy to force HTTPS-only transactions on web servers.

    Trusting users to secure themselves is asinine - the users are usually the weakest link in the chain.

    Did this professor check it out using a normal browser first?

    It's frightening that this chap is actually a professor and actually teaches people.

    1. Anonymous Coward
      Anonymous Coward

      Re:Many sites

      If you read the article, his complaint is that after selecting Facebook's option to always use SSL, Facebook doesn't always use SSL.

      This seems like a valid and sensible complaint to me. Am I missing something?

      Nobody's blaming Android or Google or the wireless network (well, some commentards are but obviously we're ignoring their 'contribution') .

      Regards your comment, "it's computationally very (very very) expensive to encrypt all traffic": Google has published a load of research into this and it isn't. See http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html for Adam Langley's Velocity 2010 talk amongst many others.

      1. batfastad
        Jobs Horns

        Cheers

        Oh cheers for that article as well. Turns out I've been living in the stone age then ;)

      2. batfastad
        Jobs Horns

        Facebook

        Well that seems like Facebook's problem to me, as I said, complain about the server administrators/application developers.

        My point is that it appears to be the same on desktop browsers as well.

        The opening para seems to suggest that it's a problem with Android rather than specific Android applications developed by a 3rd party, or specific websites.

        Yep it's a perfectly valid complaint that Facebook's "always on SSL" isn't always on, not arguing that.

        I'm surprised Google's Calendar application does this though, since they switched GMail to force SSL a while ago.

        But that's a reason why I generally avoid all this application nonsense and just use the mobile web versions instead.

  14. Anonymous Coward
    Stop

    "...we recommend using encrypted WiFi networks.”

    Said a Google spokesperson.

    It's important to realise that just because a wireless network is ENCRYPTED does not necessarily mean that it is TRUSTWORTHY.

    Wifi at a coffee shop could well be secured with encryption, but that does not stop a potential unscrupulous individual from snooping on the communications once they are on the wire.

  15. Kay Burley ate my hamster
    Thumb Up

    Who didn't know this already?

    Been using https://touch.facebook.com since before their SSL setting (It gave a domain mismatch error but was encrypted).

    I never liked the app for just this reason and have posted to El Reg comments on this before. Apps are bad for security, mobile web at least lets you know the connection security status.

    Also this is not an Android issue, this is down to Facebook and Google for developing apps which do the same job of a website but badly.

  16. Anonymous Coward
    Coat

    ZOMG! Your phone is raping your data!

    It seems a bit disingenuous to blame the OS for an application failing to encrypt some http request.

    A shiny dollar says you will find the same problems with any platform; they all have some shitty sub par applications available. This isn't limited to just phones either.

    The fact that google's own apps do not encrypt their traffic is completely half-arsed, but doesn't implicate the underlying OS.

    /mines the one with the n900 in the pocket.

  17. Anonymous Coward
    Grenade

    FUCK OFF

    I'm really fucked off that this is ONLY just becoming news now.

    I raised this fucking issue, and did packet traces, on a public forum (the android stackexchange site) but no one seemed to give a fuck.

    This is a fucking massive issue (transmitting google calendar in the clear) but no one gives a fuck. Not even after the firesheep scare.

    FUCK YOU FUCKING "PROFESSIONALS".

    1. Anonymous Coward
      Flame

      And...

      While you were doing "packet traces" (I presume you mean, I fired up wireshark and selected follow tcp stream) did you happen to notice all the other stuff thats regularly transmitted in plain text? A surprising amount of email servers still send mail in plain text for example.

    2. DRendar
      Badgers

      Easy Tiger!

      Perhaps you should switch to decaf!

      If you wanted to bring this to a wider audience you should have posted it somewhere people actually go - like Slashdot for example.

      I totally agree that this is a major security issue, but it's hardly ground shaking.

      Until very recently GMAIL only encrypted the logon credentials, and dumped you back to http once you were logged in. There is now an option to encrypt everything in the user settings, but most people won't know about it, and therefore all their email contents are there for the sniffing

      Considering that people get password resets sent to their email accounts, this is a much bigger security issue than that of the calendar.

    3. Doug Glass
      Paris Hilton

      We're all sorry ...

      .... you didn't get the credit.

      Paris because Paris is sorry too but she looks good.

  18. Neil 38

    Shocker

    When I'm snifffing the corporate network for juicy stuff the last thing I want to stumble upon is useless junk like what people are eating for their lunch or how they're sooo much looking forward to watching The Biggest Loser on telly tonight.

  19. Syed
    Happy

    @Anon 16

    <Michael Winner Voice>

    Calm down dear, it's only an article.

    </Michael Winner Voice>

  20. Doug Glass
    Go

    I love it!

    The more fools who use social media just means the easy targets are so great in number as to make me invisible.

  21. maclovinz
    Happy

    Anyone surprised?

    Is anyone surprised about any of this here? Anyone? No?

    Great, have a nice day.

  22. Anonymous Coward
    Flame

    well . . . . . . . . .

    The Facebook app is FROM Facebook, so it is completely normal as Facebook loves to share user's info and it is working as designed IMHO.

  23. Anonymous Coward
    Happy

    Animated gif's again

    Android actually does support animated gif's in 2.2 onwards. So no need to panic.

This topic is closed for new posts.

Other stories you might like