Security Hole In Android

[drake]

Blog from Dan Wallach, professor in the Department of Computer Science at Rice University in Houston, Texas:

Today in my undergraduate security class, we set up a sniffer so we could run Wireshark and Mallory to listen in on my Android smartphone. This blog piece summarizes what we found.

Google properly encrypts traffic to Gmail and Google Voice, but they don't encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.

Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn't really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.

Facebook does everything in the clear, much like Twitter. My Facebook account's web settings specify full-time encrypted traffic, but this apparently isn't honored or supported by Facebook's Android app. Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook's server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.

The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn't have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser.

Another game I tried, Galcon, had no network activity whatsoever. Good for them.

SoundHound and ShopSaavy transmit your fine GPS coordinates whenever you make a request to them. One of the students typed the coordinates into Google

Maps and they nailed me to the proper side of the building I was teaching in.

What options do Android users have, today, to protect themselves against eavesdroppers? Android does support several VPN configurations which you could configure before you hit the road. That won't stop the unnecessary transmission of your fine GPS coordinates, which, to my mind, neither SoundHound nor ShopSaavy have any business knowing. If that's an issue for you, you could turn off your GPS altogether, but you'd have to turn it on again later when you want to use maps or whatever else. Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these.

Publication from German University Ulm:

Catching AuthTokens in the Wild The Insecurity of Google's ClientLogin Protocol

[Phil Conners]

You don't need GPS enabled to use maps and other location specific apps. If you disabled GPS it will just triangulate the approximate location by the transmission towers (though of course with somewhat less precision). It also saves considerably on battery life to disable GPS when not needed.

[Crushdepth]

These are not 'Android' security holes, they are *application* security holes. Actually I'm not sure that they qualify as security holes either.

It's a good reminder that when you give an app permission to access your location, you have no real idea how it will use that permission and whether it will abuse it or not. In the examples above, the professor would have had to given explicit permission for the apps to use location data on installation. If he is unaware of that then the security hole is in his own head.

Until 'trusted' application providers become available that give guarantees about how their apps do or don't behave, the only real protection you have is *not to install* applications that ask for permissions that you are uncomfortable with.

Edited May 18, 2011 by Crushdepth