Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Is Mobile Security an Oxymoron?



 By: Andrew Garcia
2009-05-27
Article Rating:starstarstarstarstar / 5


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
eWEEK Labs does its own investigation of the security of mobile apps such as those from Apple's App Store. Labs found that mobile apps may be broadcasting much more than you know. Indeed, you might say that your smartphone is talking about you.

A couple months ago, I pondered the security of mobile application transmissions when used over insecure networks, specifically over unencrypted Wi-Fi hot spots. Whereas a mobile device browser shows the little lock so users know SSL is being employed to protect certain data, mobile applications typically provide no such reassurance, unless such a proviso was buried deep in the license agreement.

I wouldnt expect mobile applications to encrypt everything transmitted over the air.  Instead, I would expect them to behave as would any reliable and reasonably secure Web applicationencrypting confidential data, while sending media and non-personal text in the clear.

But since these applications dont readily promote or advertise their in-place security measures, and because it is too easy for a user to unwittingly move from relatively secure HSDPA/EDGE data transmissions to an unprotected WLAN network (such as AT&Ts Wi-Fi network, which can be commonly found in Starbucks and McDonald's), I dont have a clear idea of what my device is saying about me and my usage habits over the air.

I decided to investigate the matter a little more, so I set up a wireless protocol analyzer (Network Instruments Observer 12) and sniffed the traffic generated when using common iPhone applications with the iPhone attached to an open Wi-Fi network.

Resource Library:

I was looking for passwords or other personal data. To limit the amount of collected data I needed to parse through, I created an analysis filter specific to my hardware address and captured only TCP or UDP traffic to and from that address. Since the iPhone doesnt support background applications, it was relatively simple to isolate the traffic for a specific application: I turned off e-mail push capabilities and used only one iPhone application per capture session.

My investigation was not intended to be an all-encompassing look at the entire iPhone application ecosystem, but rather a spot check of those applications that I use on a day-to-day basis.

I examined Apples App Store, Facebook, Twitterific, Skype, Fring and the Amazon mobile storefront application.  From those applications, I found a varying degree of application encryption (HTTPS/SSL), and could glean some personal details from most of them.

I started with the App Store. Apple selectively encrypts traffic that could contain sensitive data, so I didnt see any user names, passwords or payment information. On the other hand, anyone trying to fingerprint a client device will have an easy time of it, as the application sends the device type and firmware version in clear text.

Facebook doesnt use any encryption at all, leveraging only HTTP for transmitting data. The application seems to hash the user name/password combo in a cookie, so I could not sniff that data directly. I could definitely see a lot of cookies being transmitted back and forth, however.

I was surprised to see that Twitterific, a Twitter client for the iPhone, encrypts almost everything with SSL. Credentials and tweet updates both seemed to be adequately protected.

Amazon, an application that promises to use SSL encryption per the license agreement, does indeed protect the user name/password and credit card information. However, shopping activity is not encrypted, so perused items will be broadcast in the clear. I also found that Amazon sent my name in the clear with the sites welcoming text, Hello, Andrew Garcia.

Fring, the multiprotocol instant messaging and VOIP client, was rather disturbing in terms of what could be gleaned over the air. Scrolling through the various packets I collected, I found a user namewhich I think is for the master Fring account, rather than a particular IM service. I also was able to collect every contact pulled down from the servers, which in my case included AIM, Google Chat, Yahoo Messenger and Skype contact lists. And since my Skype contact list includes landline and cell phone numbers for use with SkypeOut, all those numbers and their associated contacts could also be gleaned from unencrypted transmissions.

The iPhone Skype client, conversely, seems to encrypt just about everythingas would be expected given Skypes proprietary protocols.

To be sure, there are ways users can protect themselves. The iPhone comes with a Cisco IPSec VPN client nowadays, so corporate users can think about securing all transmissions via the VPN regardless of the data connection.  But in lieu of access to such a VPN, users should take some time to consider what their device is broadcasting to anyone nearby when using all those cool new applications on Wi-Fi hot spots. 

Senior Analyst Andrew Garcia can be reached at agarcia@eweek.com.

 





  Reader Comments: Is Mobile Security an Oxymoron?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Andrew Garcia
 


x}r㶲s\@♵M=RJ[45SHHbLZ$e[Y?_v8x -8%lh|CgowD.\ݴ1t͹M5>5-3s-GgRSrĠt Egiu;AzpD7d>J`OS{S  Ɠ5>X1=/[S}L}F7\3eb^Q$Ё_M¦%yCDRm@|׶#ַ(>r@ߨVANé-}!*{|HJ%h!GQus?; _h@a50NKg8$C5nCUVekV6^;s9Fȹ׳z$fRvn8Gd jI:*`iTi11܋]Lч@oڮS.PVfFԲ;guGgcGMҳGCLH6=~0[QM+.l5ZJP0'C8:)X̠e[7'0ml_j| uvs<$s~7 jd1KU 6 C p==\'xtTa_eY7;fؖqwh 푦J5(GJ\S#G}rL޷-g`*sgyÝxk[7?һPʪ)Ji_H C[wn -%ZAT\OYt[a\`'H [ɯDQT"*rp4MI 1qzj %RM7JQ_PKX+hv$ꑑf1<˧H0CF^8RCb9n򳩥鷮۽NΏۭ3$IJ5<JEӀH ZvF,E%Msڽ鑳59m}nzH _ܹGtHM Wh:w -NXkU[7`Kk'ޮCLJM[CyC0-ߕRMRs?"1|w=jIo]}:h$7Y>ퟒ//!}Ow| nr#$7ReQ o̱o>0@|ˤd&r, ?n\S'G`h__ӬZxka 4+@_x0ND5fIs(,eg{ MH5Ŧ]`)exNS$%/^P%P샖_΢[2jFTwIQa#wax̌_,ʹcc^IRe6\a>PY<8vwܬu"*մ޹-~4ҢKsqnUVǫ #KEHYf7-wI0ꨦUʵt ~|,VRS_W,@F̶# &s;y0`;}JOiͧ8!9~tDAG66^zK tcb>'ݨä pp|w͇v9s/|TaR֔zNJ$>6Z\χ`c˖CB뎂9{׻ergmM~ٚС4}a hp3*~s`=w= } wk 6G~[>l0s0 q0y_ zOEȣ$@!"-i]NP@Ar68 -,rrޑvZ*&RPJnOq$]cwJ"ڹ&,S,ЂW-Kᗄtfh(L=n1!UG,D`v9r,L.Z ϴ6Jy[+R4dT(9 +ZIQQ#U^ğ/;*XF0-/Cw)?ǘ[eX4LmRT2q)(f+7/TRԛȦ5S GZdLAuϝ2h Jd@`Wv.َgK4'*J?J+8從2MS|(n^ßݴ#>d .z:H(p0ѿzĞnv(֌4UʝWRy'g|)WNyքc$C ֓6_2˧L)ESr:w'NѫU?ZĿL?ͦzkXؽh@r6ҁ~eZZ @-ĿUi ma7k )`|M("6XR(vӱυ5Ӳ ="Csz QIZеہ`5s7\PeM}dҶbFoՒh#Mb1vn ʸfJirij>NMKϵ("fLOglp>H!%6D;~S sOЭ,p8*4jkT=Ckab恈7_E3ka{61tJ.,]{1Y_,*{g5eW45e"AYڇ&:=4̄+ud'T-{ =}6:y֚?NRP$`/#[յ /Q+wڶ{t]QGq, bj\Z<~o™5z6|*j0FBċV(l^~kN4:E80Nݡe-6m*IH-qۻ(Qܧ&;alâ˘c_ #>(cpHl`_\Ї> B LΧRE\ ~1~1UŠP=) ]`uX]/XL+*)Gpϟ  sWyGZ?O#y:T+BZ=QQT*h*(S$i5`w4'u`~6xOe֛/Jm@o([gn+}K-˰p #.Z$ c0Y /ÊTU5ݧ i ~>EV6őG@=q?@*:2 XZ 0(E{耰⢉!H{+4pý225\ZS:ٝ'(R~p;>=-h0 nZD]bRXEGvoqe(Dkԃ3~Sb_@URTʞO"9+AG^320"C;wF\!vʬi~r?pߎXAm†9k+sD ü |30Jј<,*=:Y5AP,4gy3iqS2ܪ+_MebxEOP?l]Z.+BvQ *s>P|o -"Ԅ_8 +~W?l)ɡHHD>DQkF\{e"nxB*n gF Dssb^n>A*[/I6]S0:;_ ݘ`3ax -$^ԕº}s>ƶϺtּl_|9A&~?<n琷QAZ={q À>";E:RO54osV=; J@cG$=ĸ}/gvj;kmu8.odhq^ 8I{v%%{w;Oz܃폝CFW!zN.ZlfS L k;d8) hdjm\8$Ø/=^q@چWҽ>m]sb륨kNZ _k5WE.'7(amFp~[_aY,$20. I+U:=>   kJ=!o8m._i9D[ `M/ԩ #ADrElFzRFijIɉO/aIb1:*:{_Zakᷘo9?Oů1OkWtAxW(tNz4\3[IN:m&݋B2^'68/=h1ޏHE/pǻ"Ts(L,ӤND)fTxi'y0:F{8쀒N1{TlOܡM]nĖS9Z)ŔL ir4 AgJȄaye5)a5R!MLCYOC/$$f;B:z{ fg{ڀĴ&{6wg Kڗwn_"#O&8v\%0G qo4/BE HY)o9yB>Blb%%hҫoeW!؁\Cp0S`0#!9ϫ|1}~XU*۽N H1s ذq ;eΫ P|~w{{eB s?݁CO6r=ICo6O&Ս A0nsk@ϝO)|92M3}ݺJf:2iAhl3O7nC\`l_#t@{~}q.e~W(TRn /bO$J麇9|MT--^\RK>]_+U뀞< h6`#Fm`"fFsME[fO<|nF??C4ȥ</滜;`!3ȑ$+Ӡ5m.Ƕs$;gr0G $T8h l|nwkLRx66y)1h4Rwol9lv8W -6N 6V8U W_÷zgVy{ rx|[vzoǜxk5-U5U֒`PBH|pN7̼V&Q~p*COƥG/>qĨ`bx?r`f[w!%; #)݄'){ ̻Rjy`T[J. )ٮ8\ja>S_RrKBC= XB΂sѳ~YWbA7z58i,< <ÂE݅> ܙHn&d:SN7p՛K\oqHxD'? ;?+m2NhlhJsbS!:(s<%t A "rG{YmY60i%&o`  -1qSI|<Վ,9b?P nYp%BB`q:uQ}O'1pa*ȄȂnr AA>w量BlId5=%fext:S^>vc"UQ?=`[QS߷ZgYE9T_p& ,5'Yě)ȭ,Ilv}=7 H%8DTRi"I6$bcHHnl /YMM<}A*Sz%F#OLJ}yׇaԗuz"ϜqPZpi*(kj_~v_tx9 Mz# <͐ɲO @xZySתr!YIQy'P?Ub[PP1T=$LyW6mT 9LsE.YnCϽKZE-˲K1}OރPBsCG\JlxR,),<vllUmuwOJj}(]h/E'kWuԟ=6v[jzҥt;IJVTj#$ˑ$Vo.OCJ$ wAcO ¶VxMBkk?BGH'tFkpq/ccy r|RUJ bdt:7K/WO9o?\ےk5UU$@,$C u XUj:Z/])Kj\ D, X7>AoLGOKo>4+ےf5I:/ .~,i,AycIgicv]Yz|Q56HJQRmɠdpSzqbla)!-g!j&@1KP B%*!*PAXX}\0ڛ%ga)DSxOMmitFaV׶UƼ.h;# 3h.fjhE^ u\OD|n#P'ZJ&:Jxň_|  wQizRʮ K}oOi}Im ]\2L00R  %Ҙb[ΫhCϸpqQK=\!xlDmN@oX삆C-UݣͱҵO~B=*IʥVtJN\ok:7 K`6L`  QƳAlIꜽn_Jݲ}n .oUMIiGcfmjm9WG`_~ @x #LP٤7IfcQ|-+mi-آ&'7I/ y|JM}nv_J_&ӛVgY`@1!apa17w@cނ3PU'̉$&6%d49tAroU! V̠$!#)~}a sMչ C`I )e?l?ylGWу.?<*қ%K\tYp =@9AP:qD zMlz.vG;#|x!?,Кqb hr}60XybY7ad (v";+&g˕K~3R%_N ނxn|af1S~3qW|-)ߴ{dX,~ ?:^{ͰbdjU{4''@#-n'f:]gd*淵qdyN;}V)Kmjhk;1}ԺD؆_NFTˬ{$Q3 ƹ;}e",Nk֖T5P2aD+op;B䀉p=@;I|`u1] נ 8weSO}ի^_Vc#-/*`6m{pOݦ}-G\ۊbVd=-D7߀\<@f!S61޶Qk1⽨~Geٿg{H^;P`n:ƵVxrMv m`/ 3cьJCMwȭAc+u.H-_p\dEw'yDdm ߢQY?`C䷿T}fw1^4}f2QQ QE̐p۽"SPE\y|K 㷈-D#_X~x UH;@!]0=xgw|'"Gbaw9Ƕ6VGcmc=R,oͮԐ5|51 9 >dΤ ly4,~DSM=1o[>-V8E l+96i[>ˈ4>(CZPBZ]l’M=It9ꚚrMWn @`%~5QDZC@ O^a)qc) kpx+΃L,GTn/͛I~p\o+CEm.95͂E tCs95U(5u=b?=G/utIjbiA.c2·X31a}ő*B UNz ytFu*R!ѤF GZj>kik6j=!`5?؝dvn&F-m']қ≠DU֝uȓPc“-* ;,yu67F%y1[+`65~OR.g@%[7\ 0>P6)l]X-TsZ.Wfz`Nyu_ZՔV-`{dIX|cadT\kX]ZcՀy8BK.xړGF^G<2RI+[g/Htg@#T؀yJ}ҷ<#%(F<<}Q,턂R!FғR |KAr|jXojzrtP"ļNJaίޝKj_$|rROsGO<;u_aci*pm[*{=E-h<#ԹNWvC[ԦF p7@Q`1D GM&7ba׺hI5Bx_m^9^d ?gd_C&Pj3 ݌rSi+O6~21?A\㼽}kO3ʡ(3s/Qʿl.A5.31K{Ke~.a̠K Dd?gCyFOPSF%_fv2_'cnF  !_>2 ޿x G7``'ss'O?g>g3sn&&~oon2/$)CAy3ϚWpz~;"9(/R*zUKYFy 3YY zvAeX^e\512ௗeߗdnleҾ:&R+ ]Q%5-{[I2}Wc|u(X2M*7!#(,8%Y}MNJ 4tk 7b[yDYAI{R}tEwI>tqLwN>]_Һ4/W͏-ЙOA]eGӠ[Y"B8 C7o0 dp= 3vڢ{! 7\zќ8oƮ; P7maIfT.jZQo\)Uʹo俓kD2Lz@ b3jJ]NmJTL3DAzg l]{ۦJ̾ZCO3CX)ḇ}̺l-C P1=:rǬD*Yۼx0l{|yN؛ڎy@7 J,5{3ŨЫD@3>Ɲ/=mc5q) ߄dD2yhp䓿 tV8M4ǝaƹrV4@8v[h xqfaKx uYcc6HmTώ{;];!5 uu7L_'/T3tB O-kV5xŃB|(pIi/ 0S*1/D了mvv.#NnϘ ˙? lڝHz]6~>%v cf\gHa)x܃ARjMaMgY2&zu Th4Ffβْoߦ;Üz LJ @Bo)%&Tum_I-gl"$E a'ChyaXl=$~5|t,C䷦cS֒_6/gwcǁysԷeEQ&PL¶c#U%4yHRͤO[=$sDs݅ ߠ(b/<% * >#.X&">m?'.}Nu;H'"@2xrtPŗ;wiS)fGNFp)hN<}y?٢ u+ ğ? \cwHV& 1ΪTU|>cx 'w565Tc :ۓ|?Oe Mt8/o9kn>7Q$L{ izQZˤ`+슧~0qGĶ2C|R0OUpvRvcdLw9qgSg _((u@Eqg˫PyGmm<"^|:uGׂ=Q'FaжZWt{]+l 1C>b]R>E+ ]'[ۧ3й?-{/e; ],{QFbfA#q얢u.nDcwϏp`2[\g4^m,eL׎aYg^^kte(n aaXVyz|LVz S%ȕ/2f#xoUA5̺J"4&o)FҢpL\岞Ԕbե{7 P%On6%s\ɜKRSk$5WYViQ}*' Cfڱ wm<lx61meN+