A university professor in the US has demonstrated a security flaw in the Google Android phone that allows credentials to be viewed without any encryption.
According to a report by the Register, Dan Wallach from Rice University in Houston, Texas, connected a packet sniffer to his network and showed that the traffic sent to and from his Android handset was unencrypted.
He demonstrated that: Facebook transmitted everything except for the password in the clear; using Google Calendar made it possible for another user to see your schedule when the service is accessed on unsecured networks; and the SoundHound song-recognition app transmitted the user's GPS coordinates, down to the street where the user was, to the service each time a request was made.
Writing on his blog, Wallach said: “What options do Android users have today to protect themselves against eavesdroppers? Android does support several VPN configurations which you could configure before you hit the road. That won't stop the unnecessary transmission of your fine GPS coordinates, which, to my mind, neither SoundHound nor ShopSaavy have any business knowing.
“If that's an issue for you, you could turn off your GPS altogether, but you'd have to turn it on again later when you want to use maps or whatever else. Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these.”
The research came as no surprise to Philip Lieberman, CEO of Lieberman Software. He said it was a great example about the lack of secure mobile application development.
He said: “The stark reality is that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure. Depending on the platform provided by a vendor, the core security available to the developer (given that they know what they are doing) can also be woefully inadequate.
“As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may be beyond their expertise and budget. Because security is frequently an 'out of sight, out of mind' problem, it does not get addressed/funded until someone complains or something bad happens.
“This story is a great lesson that it is time for developers to hit the books on how to secure their applications, and platform vendors need to complete their security and encryption suites to make it 'easy' for developers to write secure applications.”
Speaking to SC Magazine, Chris Wysopal, CTO of Veracode, said: “I think the wakeup call comes when these known vulnerabilities get exploited. Someone needs to write a tool that demonstrates these privacy leakages. Unencrypted session IDs used by online mail services, Facebook and Twitter were well known to be a vulnerability but it wasn't until someone wrote FireSheep that anything changed.
“Now four months later almost all of the services are offering SSL as an option. It still isn't the default for most services such as Facebook. This seems the way that things work for new types of vulnerabilities on new platforms. Security researchers point out the flaws, they are ignored, an attack tool is created and then people wake up. I do expect tools to expose these privacy issues to come soon.”