Security shocker: Android apps send private data in clear

[Jack]

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users' privacy, a computer scientist says.

In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform. What he saw surprised him.

More details - link

 

[AyeAyeCaptain]

This is very poor on their part in my opinion for a company who has a huge userbase in which they say they aim to protect. I for one will not use my Android phone for such activity anymore until they get this sorted. Not that I post too much on their social networking site, but still have to admit I'm a self-confessed addict!

 

[bogdan]

This is a problem with the apps, not the actual Android platform. Keep in mind that even on PC-s most sites do not maintain the SSL encryption (https) after the login.

 

[AyeAyeCaptain]

This is a problem with the apps, not the actual Android platform. Keep in mind that even on PC-s most sites do not maintain the SSL encryption (https) after the login.

Sad but true, do you think in the near future most sites will go with full SSL sites as opposed to just log-ins? If I understand right it uses lots more resources like bandwidth and CPU etc to achieve this, so would the cost be justified?

 

[LoftedAphid86]

This is a problem with the apps, not the actual Android platform. Keep in mind that even on PC-s most sites do not maintain the SSL encryption (https) after the login.

Sad but true, do you think in the near future most sites will go with full SSL sites as opposed to just log-ins? If I understand right it uses lots more resources like bandwidth and CPU etc to achieve this, so would the cost be justified?

I know that Comodo forums has this option, is there anywhere else that currently has this?

 

[bogdan]

Google implemented it with Gmail some time ago and published a report saying that the actual impact on their servers is not as big as expected. Other social sites will probably follow the example (some already did). Fireshepp (A Firefox extension that demonstrates HTTP session hijacking attacks) brought some attention to this subject.

You can use HTTPS Everywere - a Firefox extension - to force a permanent https connection on some sites.
Facebook recently allows you to enable this feature for their website (link). Highly recommended, especially if you use public hot-spots.