This article was published on February 24, 2011

Google and Facebook guilty of not encrypting mobile app traffic


Google and Facebook guilty of not encrypting mobile app traffic
Matt Brian
Story by

Matt Brian

Matt is the former News Editor for The Next Web. You can follow him on Twitter, subscribe to his updates on Facebook and catch up with him Matt is the former News Editor for The Next Web. You can follow him on Twitter, subscribe to his updates on Facebook and catch up with him on Google+.

Google and Facebook are not encrypting the mobile traffic sent to and from their services, inviting wannabe attackers to impersonate them or post bogus status updates as a result.

Dan Wallach, a university professor at Rice University in Houston, Texas set up a smartphone security experiment as part of his undergraduate security class to sniff traffic on a network whilst he performed several web requests from his Android handset, detailing his findings in a blog post.

The results from the experiment were telling, noting security lapses on both Google’s and Facebook’s part. Google was found to properly encrypt mobile traffic to its Gmail and Google Voice services but not on its Calendar service, highlighting a small security risk that wouldn’t necessarily expose sensitive information but grant an attacker access to calendar transactions, possibly allowing them to impersonate the mobile user.

Worryingly, Facebook was found to be dismissing secure connections altogether, even if a user had specified that full-time HTTPS (SSL) should be used on their Facebook profile. Wallach found that the encryption request “apparently isn’t honored or supported by Facebook’s Android app”, opening the possibility for an attacker to inject status updates as a result.

Twitter was found to send all communication in the clear also, but because tweets are mostly public by nature, there isn’t much of a security concern. Because the microblogging service utilizes, OAuth, it would be difficult for an attacker to create bogus messages.

The experiment shows that even when popular Internet services do employ secure authentication, it might not be facilitated both ways by the company’s official app. Google is especially at fault, considering the experiment was conducted using an Android smartphone, it’s something that might have been overlooked as the company secured its more data-sensitive services.

As Paul Ducklin at Sophos Naked Security points out:

Both companies really ought to bite the cryptographic bullet and offer a configuration option for mandatory HTTPS. This would be a setting by which well-informed users could instruct the Facebook or Google servers to rejectany attempt – whether accidental or deliberate – to make an insecure connection.

Published
Back to top