Google and Facebook guilty of not encrypting mobile app traffic

Google and Facebook are not encrypting the mobile traffic sent to and from their services, inviting wannabe attackers to impersonate them or post bogus status updates as a result.

Dan Wallach, a university professor at Rice University in Houston, Texas set up a smartphone security experiment as part of his undergraduate security class to sniff traffic on a network whilst he performed several web requests from his Android handset, detailing his findings in a blog post.

The results from the experiment were telling, noting security lapses on both Google’s and Facebook’s part. Google was found to properly encrypt mobile traffic to its Gmail and Google Voice services but not on its Calendar service, highlighting a small security risk that wouldn’t necessarily expose sensitive information but grant an attacker access to calendar transactions, possibly allowing them to impersonate the mobile user.

Worryingly, Facebook was found to be dismissing secure connections altogether, even if a user had specified that full-time HTTPS (SSL) should be used on their Facebook profile. Wallach found that the encryption request “apparently isn’t honored or supported by Facebook’s Android app”, opening the possibility for an attacker to inject status updates as a result.

Twitter was found to send all communication in the clear also, but because tweets are mostly public by nature, there isn’t much of a security concern. Because the microblogging service utilizes, OAuth, it would be difficult for an attacker to create bogus messages.

The experiment shows that even when popular Internet services do employ secure authentication, it might not be facilitated both ways by the company’s official app. Google is especially at fault, considering the experiment was conducted using an Android smartphone, it’s something that might have been overlooked as the company secured its more data-sensitive services.

As Paul Ducklin at Sophos Naked Security points out:

Both companies really ought to bite the cryptographic bullet and offer a configuration option for mandatory HTTPS. This would be a setting by which well-informed users could instruct the Facebook or Google servers to rejectany attempt – whether accidental or deliberate – to make an insecure connection.