Thursday, 16 September 2010

Android Application Security

Sorry for not having written into this Blog for such a long time, but I just did not have any ideas that I thought to be important enough to bother you (if there is anyone out there reading this). I have recently purchased a HTC Wildfire (good device with some shortcomings, but all in all it offers a good price–value ratio, but discussing the pros and cons of the device would miss the point of this post). I have – of course – installed a couple of applications on it (what's the use of a smartphone without those), many of which communicate with the Internet.

Considering I will mostly be using those when I am not home (and thus not have access to a real computer), I have started some analysis to find out which of this applications I can securely use on a public WiFi (or using my mobile internet connection) without fearing to have any data compromised to eavesdroppers (like the WiFi hoster or – if the WiFi is public or the key is known to many people – a third-party that can intercept the datastream); the long and the short of it, I wanted to find out which of the applications sends unencrypted data to the Internet.

I connected my computer (which luckily has two Ethernet cards) to the router with both of them, connected the Android phone to the WiFi of the router and manually set my computer as the gateway, which in turn forwarded all the data back to the router again. Then I started up Wireshark and thus could see all traffic coming from the smartphone, and have drawn the following conclusions:
  • Google Talk seems safe to use as neither the plaintext of the account credentials nor the one of the messages sent can be found in the data sent.
  • eBuddy (a multi-IM client inter alia supporting MSN) seems to only encrypt the password when logging in, and definitively does not encrypt the user-name or any messages sent over MSN.
Because my setup did not work as well as I expected it (the Internet was terribly slow on the phone and furthermore Wireshark kept segfaulting), I have not yet analyzed other applications, but if you want me to look at one, do not hesitate to tell me in the comments. Other than that I advise you to set up your email accounts at home over an encrypted connection and manually configure it to use SSL (it appears to favour unencrypted communication when autodetecting your account information from the login data), lest you possibly compromise your login data to the owner of the WiFi or eavesdroppers. Whenever sending sensitive data with the web browser be sure you are using an SSL secured connection to the server.

No comments: