Security News Are your Android apps sending unencrypted data?

[LASER_oneXM]

Content source

https://nakedsecurity.sophos.com/2018/05/29/are-your-android-apps-sending-unencrypted-data/

Have you ever wanted to know what your phone is up to?

Good, then this article is for you.

Phones are locked down so you don’t have to worry about what’s going on under the hood. That’s great if you want a device that Just Works, and it’s the exact opposite if you’re the kind of person that worries about what it might be up to – like me.

Fortunately, if you have a bit of time and some technical skills, there are some simple ways to see what your apps are up to.

One of the things I worry about is oversharing – apps sending out more data than they need to, or transmitting data in insecure ways – such as using unencrypted HTTP requests instead of HTTPS.

My concerns led me to do some network analysis on popular Android apps, following the methodology set out in the OWASP Mobile Security Testing Guide.

I’ll tell you what I did, what I discovered and how you can do it to.

Oversharing apps

I looked at the charts of the most popular apps on Google Play, picked a few at random, installed them and then monitored their traffic to see what they were sharing.
I tested fourteen popular apps:

• Four of them sent data unencrypted, making them easy to spy on over public Wi-Fi.
• One app shared email addresses and authentication tokens in plain text.
• Another shared my ZIP code, Android version and battery charge (a potential fingerprint).

I was shocked at how easy it was to discover such basic security blunders, and shared what I found with the apps’ developers.
There are millions of apps on Google Play, and millions more on other markets – far too many for me to test on my own. That’s where you come in – here’s how I did it, so you can do it too.

 

[HarborFront]

Actually, you can use apps like ReCon and Lumen Privacy Monitor to monitor and block privacy leaks

Android - ReCon: Watch who is watching you, and block unwanted privacy leaks

Android - Lumen Privacy Monitor Detects Apps That Leak Personal Data

 

[oneeye]

Actually, you can use apps like ReCon and Lumen Privacy Monitor to monitor and block privacy leaks

Android - ReCon: Watch who is watching you, and block unwanted privacy leaks

Android - Lumen Privacy Monitor Detects Apps That Leak Personal Data

Lumen also gives you blocking controls, on a par with some other global blocking apps. Netguard, for instance (the GitHub version) is great for monitoring and blocking individual IP addresses. But, Lumen is free, easy to use, if you trust the developers. I trust both developers, personally.