<   Prior Home         Share Blog Bloke     Share Blog Bloke Tips       Share to Twitter       Share to Facebook       Share to Twitter       Share to Google Plus       Share to LinkedIn       Pin this       Get Updates            
        Next   >  

Why Your Android Smartphone Is Not As Secure As You May Think

BLOGBloke uses an Android phone (Samsung Galaxy S) and is very happy with it. I generally don’t have GPS enabled or use my phone much for confidential conversations so I feel relatively secure. But after reading this article (below) I may have to reconsider that notion.

There are things that we can do to minimize the risk which I will discuss at the bottom of this post, but first let’s take a look at Android’s security shortcomings.

For a class project a computer science teacher decided to check out Android’s security and was in for a shock. Although Google encrypts Gmail and Voice requests, apparently it doesn’t in Calendar.

Twitter it seems is only partly secure, and Facebook (of course) is not secure at all. Some Android apps such as SoundHound and ShopSaavy are even capturing GPS locations for no apparent reason, or just because they can.

Using software sniffers Wireshark and Mallory to listen in on Dan Wallach’s Android smartphone, he soon discovered:

  • Google properly encrypts traffic to Gmail and Google Voice, but they don’t encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
  • Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn’t really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
  • Facebook does everything in the clear, much like Twitter. My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app.
  • Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook’s server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.
  • The free version of Angry Birds, which uses AdMob, appears to preserve your privacy. The requests going to the AdMob server didn’t have anything beyond the model of my phone. When I clicked an ad, it sent the (x,y) coordinates of my click and got a response saying to send me to a URL in the web browser. Source

To protect yourself against eavesdroppers Dan recommends using Android’s VPN configurations, but that won’t stop the unnecessary transmission of your “fine GPS coordinates” from rogue software.

So it would be better keeping GPS off altogether and only turn it on when you absolutely need it, such as using Google maps for example.

That’s what I do. You can also consider using Twitter HTTPS for more secure connections. So now you know.

P.S: I’ve been using WireShark and it’s a real eye opener. Try it for yourself.

Written April 14th, 2011 by | 5 Comments | Filed under: Mobile Tips, News, Security Tips ,

Thanks for Sharing     Share - enable java in your browser Share to Twitter            

Did you enjoy this article? Keep up to date with Blog Bloke Tips the moment it's published by email. Your Privacy is Guaranteed and will not be shared with anyone.

Keep it real with Blog Bloke Thanks for reading the original Blog Bloke. You can read more about me here. Contact me if you have any questions, tip requests or if you would like to be a guest blogger. Keep it real every day and subscribe to the newsfeed, share with friends or follow me.

    Subscribe to the Newsfeed     Share to Twitter     Share to Facebook     Share to Google Plus     Pin this     Share to LinkedIn

Got an opinion? Let's be real and start a conversation:

It's your turn to tell Blog Bloke what you think, ask a question or suggest another blog tip. Don't forget the comments policy and I'm looking forward to reading what you have to say.

There are 5 Comments so far to “Why Your Android Smartphone Is Not As Secure As You May Think”

  1. Yea telling everyone where you are isn’t the safest thing to do. I cant say anything as I have been guilty of doing this on FB. Skype is also having an issue with privacy and 3 party software that works with skype.

      Reply   ·   Share Share Blog Bloke Tips  

    Reply by: BLOGBloke at 12:54 am said...

    @Curtis, that’s a good point. This isn’t necessarily a failure of Android’s, but it is the software that’s being developed for it that’s guilty (though Google also developed G Calendar). There is however another issue that is directly related to Android which I’m currently writing about, and I will speak more about that later.

      Reply   ·   Share Share Blog Bloke Tips  

  2. In awe of that! Really cool!

      Reply   ·   Share Share Blog Bloke Tips  

  3. Your Android Smartphone Is Not As Secure As You May Think http://bit.ly/ic2CL0

  4. Your Android phone may not be as safe as you think it is. http://bit.ly/eAZ9Mz

Share     Share this article with your friends

Subscribe to Better Blog Tips Newsfeed   SUBSCRIBE to Bloke Bloke's Articles (Newsfeed)

Subscribe to Better Blog Tips Newsfeed   Subscribe to only Comments for this Article | TrackBack URL

You can also use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>