With the release of the firesheep plug-in for firefox it has become trivial for website browsing on open Wi-Fi networks to be hijacked by 3rd party listeners.
Android offers the convenient auto-sync option. However I fear that my data may be auto-sync'd while I am connected to an open Wi-Fi network while at the local coffee shop or shopping mall.
Is all the data Android auto-syncs encrypted using SSL or a similar encryption mechanism? Is any auto-sync'd data unencrypted and transmitted in the clear for all to listen in to?
Update: COMPLETELY INSECURE!!!! See below!!!!
Answer
Note: answering my own question as nobody knew.
I did a packet capture after selecting Menu -> Accounts & Sync -> Auto-sync (also accessible via the "Power Control" widget). What did I discover?
To my horror (http requests from phone displayed below):
GET /proxy/calendar/feeds/myaccount%40gmail.com HTTP/1.1
Accept-Encoding: gzip
Authorization: GoogleLogin auth=_hidden_
Host: android.clients.google.com
Connection: Keep-Alive
User-Agent: Android-GData-Calendar/1.4 (vision FRF91); gzip
and
GET /proxy/contacts/groups/myaccount@gmail.com/base2_property-android?showdeleted=true&orderby=lastmodified&updated-min=2010-12-01T08%3A49%3A00.561Z&sortorder=ascending&max-results=10000&requirealldeleted=true HTTP/1.1
Accept-Encoding: gzip
Authorization: GoogleLogin auth=_hidden_
GData-Version: 3.0
Host: android.clients.google.com
Connection: Keep-Alive
User-Agent: Android-GData-Contacts/1.3 (vision FRF91); gzip
My contacts and calendar are being transmitted unencrypted! I don't currently synchronize gmail so I couldn't say if that is unencrypted either.
Also the stock market application (which must be a service because I don't have the widget displayed or the application active):
POST /dgw?imei=TEST&apptype=finance&src=HTC01 HTTP/1.1
User-Agent: curl/7.19.0 (i586-pc-mingw32msvc) libcurl/7.19.0 zlib/1.2.3
Content-Type: text/xml
Content-Length: 338
Host: api.htc.go.yahoo.com
Connection: Keep-Alive
Expect: 100-Continue
VOD.L BARC.L
Completely unencrypted request for stock quotes: just think, you could sit in Starbucks in the financial centre of your city and packet-sniff what quotes were important to all the smart phone users around you..
Other items that were not encrypted:
- http request to
htc.accuweather.com - time request to
time-nw.nist.gov:13(doesn't even use NTP)
About the only data that is encrypted on my phone are the mail accounts I set up with the K-9 application (because all my mail accounts use SSL - and fortunately gmail accounts are, by default, SSL; and yahoo! mail supports imap using SSL too). But it seems none of the auto-sync'd data from the out-of-box phone is encrypted.
This is on a HTC Desire Z with Froyo 2.2 installed. Lesson: do not use phone on open wireless network without VPN encrypted tunnelling!!!
Note, packet capture taken by using tshark on ppp0 interface on virtual node running Debian connected to Android phone via OpenSwan (IPSEC) xl2tpd (L2TP).
No comments:
Post a Comment