Wednesday, September 15, 2010

What is your mobile device saying about you in public?

Anyone who attended Defcon this year probably noticed the huge number of Twitter accounts posted on the Wall of Sheep. A lot of people weren't aware that their chosen mobile Twitter client did not use SSL to log in. With the proliferation of wifi enabled mobile devices, it's easier than ever to sniff mobile traffic. That traffic is a goldmine, and many users don't realize what they're sending in clear text.

There are a few benefits to being able to sniff mobile app traffic. Its easier to track where your personal information is ending up. For example, if you are using an app that you're trusting with information from the device, it's often pretty easy to see that information going out in real time to third parties you may not trust as much. I would love to see better control from the device about what urls an app is allowed to send information to; maybe a NoScript style whitelist. If you take a look at some mobile traffic from your device of choice, you may be amazed at the information leakage happening.

Taking a look at your device traffic can also serve as a quick audit of the application. If you can easily see logins going out in clear text, information about you or your device going out to third parties, or hitting a non-relevant URL in the middle, that may be worth taking note of. If an app sends your login to the dev company's server before forwarding it on to the service you're trying to use, that's worth knowing. There are mobile applications that do this sort of thing all the time and being able to see the traffic allows you to decide if this is ok or not.

The benefits of having so much mobile traffic sent in clear text obviously disappear when you're hooked up to public wifi and it's someone else examining the traffic. As the all-in-good-fun Defcon example shows, you could be leaking logins and personal information to anyone who cares to look. It can be easy to take security for granted when you're using a mobile application. Average users have been trained to check for secure connections in their browser before they send sensitive information. But when that visual confirmation is not readily available that check is easy to forget. Unfortunately, apps properly protecting user information in transit are not nearly common enough to take such things for granted.

The problems in mobile application traffic are much the same as the rest of web application security. Although with the number of wifi mobile device users increasing, it will continue to become a bigger issue. Solutions can come from device manufacturers and developers. By considering the information their applications are sending, and encrypting it accordingly, developers can make their app users much safer. Third party API builders also need to consider encryption options or requirements. SSL is not even an option on many APIs.

Manufacturers can improve by providing users more granular control over what their applications are sending and how they are sending it. Several platforms I examined have all made some attempt at this but I have yet to see anyone make it intuitive for the average user or provide complete controls. A visual in-app secure connection indicator would also give users control they currently enjoy on their home computers.

So what do you think? How can we improve the state of traffic encryption on mobile devices? And why arent more developers encrypting sensitive information by default? As always, feedback is much appreciated. You can comment here, email me at jackwillksecurity at gmail or reach me on Twitter @jackwillk