Google and Facebook are not encrypting the mobile traffic sent to and from their services, inviting wannabe attackers to impersonate them or post bogus status updates as a result.
Dan Wallach, a university professor at Rice University in Houston, Texas set up a smartphone security experiment as part of his undergraduate security class to sniff traffic on a network whilst he performed several web requests from his Android handset, detailing his findings in ablog post.
The results from the experiment were telling, noting security lapses on both Google’s and Facebook’s part. Google was found to properly encrypt mobile traffic to its Gmail and Google Voice services but not on its Calendar service, highlighting a small security risk that wouldn’t necessarily expose sensitive information but grant an attacker access to calendar transactions, possibly allowing them to impersonate the mobile user.
Worryingly, Facebook was found to be dismissing secure connections altogether, even if a user had specified that full-time HTTPS (SSL) should be used on their Facebook profile. Wallach found that the encryption request “apparently isn’t honored or supported by Facebook’s Android app”, opening the possibility for an attacker to inject status updates as a result.
Calling all Scaleup founders! Join the Soonicorn Summit on November 28 in Amsterdam.
Meet with the leaders of Picnic, Miro, Carbon Equity and more during this exclusive event dedicated to Scaleup Founders!
Twitter was found to send all communication in the clear also, but because tweets are mostly public by nature, there isn’t much of a security concern. Because the microblogging service utilizes, OAuth, it would be difficult for an attacker to create bogus messages.
The experiment shows that even when popular Internet services do employ secure authentication, it might not be facilitated both ways by the company’s official app. Google is especially at fault, considering the experiment was conducted using an Android smartphone, it’s something that might have been overlooked as the company secured its more data-sensitive services.
As Paul Ducklin at Sophos Naked Securitypoints out:
Both companies really ought to bite the cryptographic bullet and offer a configuration option for mandatory HTTPS. This would be a setting by which well-informed users could instruct the Facebook or Google servers to rejectanyattempt – whether accidental or deliberate – to make an insecure connection.
Story byMatt Brian
Matt is the former News Editor for The Next Web. You can follow him on Twitter, subscribe to his updates on Facebook and catch up with him(show all)Matt is the former News Editor for The Next Web. You can follow him onTwitter, subscribe to his updates onFacebookand catch up with him onGoogle+.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
