Why Your Android Smartphone Is Not As Secure As You May Think
BLOGBloke uses an Android phone (Samsung Galaxy S) and is very happy with it. I generally don’t have GPS enabled or use my phone much for confidential conversations so I feel relatively secure. But after reading this article (below) I may have to reconsider that notion.
There are things that we can do to minimize the risk which I will discuss at the bottom of this post, but first let’s take a look at Android’s security shortcomings.
For a class project a computer science teacher decided to check out Android’s security and was in for a shock. Although Google encrypts Gmail and Voice requests, apparently it doesn’t in Calendar.
Twitter it seems is only partly secure, and Facebook (of course) is not secure at all. Some Android apps such as SoundHound and ShopSaavy are even capturing GPS locations for no apparent reason, or just because they can.
- Google properly encrypts traffic to Gmail and Google Voice, but they don’t encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
- Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn’t really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
- Facebook does everything in the clear, much like Twitter. My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app.
- Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook’s server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.
- The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn’t have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser. Source
To protect yourself against eavesdroppers Dan recommends using Android’s VPN configurations, but that won’t stop the unnecessary transmission of your “fine GPS coordinates” from rogue software.
So it would be better keeping GPS off altogether and only turn it on when you absolutely need it, such as using Google maps for example.
That’s what I do. You can also consider using Twitter HTTPS for more secure connections. So now you know.
P.S: I’ve been using WireShark and it’s a real eye opener. Try it for yourself.