eWEEK Labs does its own investigation of the security of mobile apps such as those from Apple's App Store. Labs found that mobile apps may be broadcasting much more than you know. Indeed, you might say that your smartphone is talking about you.
A couple months ago, I pondered the security of mobile
application transmissions when used over insecure networks, specifically over
unencrypted Wi-Fi hot spots
a mobile device browser shows the little lock so users know SSL
is being employed to protect certain data, mobile applications typically
provide no such reassurance, unless such a proviso was buried deep in the
I wouldn't expect mobile applications to encrypt everything
transmitted over the air. Instead, I would expect them to behave as would
any reliable and reasonably secure Web application-encrypting confidential
data, while sending media and non-personal text in the clear.
But since these applications don't readily promote or advertise
their in-place security measures, and because it is too easy for a user to
unwittingly move from relatively secure HSDPA/EDGE data transmissions to an
unprotected WLAN network (such as AT&T's Wi-Fi network, which can be
commonly found in Starbucks and McDonald's), I don't have a clear idea of what
my device is saying about me and my usage habits over the air.
I decided to investigate the matter a little more, so I set up
a wireless protocol analyzer (Network Instruments' Observer 12) and
sniffed the traffic generated when using common iPhone applications with the
iPhone attached to an open Wi-Fi network.
I was looking for passwords or other personal data. To limit
the amount of collected data I needed to parse through, I created an analysis
filter specific to my hardware address and captured only TCP
or UDP traffic to and from that address. Since the iPhone doesn't support
background applications, it was relatively simple to isolate the traffic for a
specific application: I turned off e-mail push capabilities and used only one
iPhone application per capture session.
My investigation was not intended to be an all-encompassing
look at the entire iPhone application ecosystem, but rather a spot check of
those applications that I use on a day-to-day basis.
I examined Apple's App Store, Facebook, Twitterific, Skype,
Fring and the Amazon mobile storefront application. From those
applications, I found a varying degree of application encryption (HTTPS/SSL),
and could glean some personal details from most of them.
I started with the App Store. Apple selectively encrypts
traffic that could contain sensitive data, so I didn't see any user names,
passwords or payment information. On the other hand, anyone trying to
fingerprint a client device will have an easy time of it, as the application
sends the device type and firmware version in clear text.
Facebook doesn't use any encryption at all, leveraging only
HTTP for transmitting data. The application seems to hash the user
name/password combo in a cookie, so I could not sniff that data
directly. I could definitely see a lot of cookies being transmitted back
and forth, however.
I was surprised to see that Twitterific, a Twitter client for
the iPhone, encrypts almost everything with SSL. Credentials
and tweet updates both seemed to be adequately protected.
Amazon, an application that promises to use SSL
encryption per the license agreement, does indeed protect the user
name/password and credit card information. However, shopping activity is not
encrypted, so perused items will be broadcast in the clear. I also found that
Amazon sent my name in the clear with the site's welcoming text, "Hello, Andrew
Fring, the multiprotocol instant messaging and VOIP client, was
rather disturbing in terms of what could be gleaned over the
air. Scrolling through the various packets I collected, I found a user
name-which I think is for the master Fring account, rather than a particular IM
service. I also was able to collect every contact pulled down from the
servers, which in my case included AIM,
Google Chat, Yahoo Messenger and Skype contact lists. And since my Skype
contact list includes landline and cell phone numbers for use with SkypeOut,
all those numbers and their associated contacts could also be gleaned from
The iPhone Skype client, conversely, seems to encrypt just
about everything-as would be expected given Skype's proprietary protocols.
To be sure, there are ways users can protect
themselves. The iPhone comes with a Cisco IPSec VPN client nowadays, so
corporate users can think about securing all transmissions via the VPN
regardless of the data connection. But in lieu of access to such a VPN,
users should take some time to consider what their device is broadcasting to
anyone nearby when using all those cool new applications on Wi-Fi hot spots.
Senior Analyst Andrew
Garcia can be reached at firstname.lastname@example.org.