Translate

Wednesday, April 20, 2011

Thursday, April 14, 2011

Things overheard on the WiFi from my Android smartphone | Freedom to Tinker

Today in my undergraduate security class, we set up a sniffer so we could run Wireshark and Mallory to listen in on my Android smartphone. This blog piece summarizes what we found.

  • Google properly encrypts traffic to Gmail and Google Voice, but they don't encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
  • Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn't really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
  • Facebook does everything in the clear, much like Twitter. My Facebook account's web settings specify full-time encrypted traffic, but this apparently isn't honored or supported by Facebook's Android app. Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook's server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.
  • The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn't have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser.
  • Another game I tried, Galcon, had no network activity whatsoever. Good for them.
  • SoundHound and ShopSaavy transmit your fine GPS coordinates whenever you make a request to them. One of the students typed the coordinates into Google Maps and they nailed me to the proper side of the building I was teaching in.

What options do Android users have, today, to protect themselves against eavesdroppers? Android does support several VPN configurations which you could configure before you hit the road. That won't stop the unnecessary transmission of your fine GPS coordinates, which, to my mind, neither SoundHound nor ShopSaavy have any business knowing. If that's an issue for you, you could turn off your GPS altogether, but you'd have to turn it on again later when you want to use maps or whatever else. Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these.

Instructor note: live demos where you don't know the outcome are always a dicey prospect. Set everything up and test it carefully in advance before class starts.

Posted via email from ninjahippie's (pre) posterous

Wednesday, April 13, 2011

Monday, April 04, 2011

Dilbert - The Knack

What your wireless company knows about you:

From the EFF this morning:

Your cell phone company knows everywhere you go, 24 hours a day, every day. Malte Spitz, a German politician and privacy advocate, found out just what that meant. He used German privacy law to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. Zeit Online used it to prepare a remarkable interactive map, which animates Spitz's movements, moment by moment, over the course of half a year.

 

To see the animated map (and scare the crap out of yourself):

http://www.zeit.de/datenschutz/malte-spitz-data-retention#

 

Phone

Posted via email from ninjahippie's (pre) posterous