释放 firefex插件for firefox 它已成为在开放Wi-Fi网络上浏览网站浏览的微不足道被第三方听众劫持。
With the release of the firesheep plug-in for firefox it has become trivial for website browsing on open Wi-Fi networks to be hijacked by 3rd party listeners.
Android offers the convenient auto-sync option. However I fear that my data may be auto-sync'd while I am connected to an open Wi-Fi network while at the local coffee shop or shopping mall.
Is all the data Android auto-syncs encrypted using SSL or a similar encryption mechanism? Is any auto-sync'd data unencrypted and transmitted in the clear for all to listen in to?
Update: COMPLETELY INSECURE!!!! See below!!!!
Note: answering my own question as nobody knew.
I did a packet capture after selecting Menu -> Accounts & Sync -> Auto-sync (also accessible via the "Power Control" widget). What did I discover?
To my horror (http requests from phone displayed below):
GET /proxy/calendar/feeds/myaccount%40gmail.com HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Calendar/1.4 (vision FRF91); gzip
GET /email@example.com/base2_property-android?showdeleted=true&orderby=lastmodified&updated-min=2010-12-01T08%3A49%3A00.561Z&sortorder=ascending&max-results=10000&requirealldeleted=true HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ GData-Version: 3.0 Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Contacts/1.3 (vision FRF91); gzip
My contacts and calendar are being transmitted unencrypted! I don't currently synchronize gmail so I couldn't say if that is unencrypted either.
Also the stock market application (which must be a service because I don't have the widget displayed or the application active):
POST /dgw?imei=TEST&apptype=finance&src=HTC01 HTTP/1.1 User-Agent: curl/7.19.0 (i586-pc-mingw32msvc) libcurl/7.19.0 zlib/1.2.3 Content-Type: text/xml Content-Length: 338 Host: api.htc.go.yahoo.com Connection: Keep-Alive Expect: 100-Continue <?xml version="1.0" encoding="UTF-8"?> <request devtype="HTC_Model" deployver="HTCFinanceWidget 0.1" app="HTCFinanceWidget" appver="0.1.0" api="finance" apiver="1.0.1" acknotification="0000"> <query id="0" timestamp="0" type="getquotes"> <list><symbol>VOD.L</symbol><symbol>BARC.L</symbol></list></query> </request>
Completely unencrypted request for stock quotes: just think, you could sit in Starbucks in the financial centre of your city and packet-sniff what quotes were important to all the smart phone users around you..
Other items that were not encrypted:
time-nw.nist.gov:13(doesn't even use NTP)
About the only data that is encrypted on my phone are the mail accounts I set up with the K-9 application (because all my mail accounts use SSL - and fortunately gmail accounts are, by default, SSL; and yahoo! mail supports imap using SSL too). But it seems none of the auto-sync'd data from the out-of-box phone is encrypted.
This is on a HTC Desire Z with Froyo 2.2 installed. Lesson: do not use phone on open wireless network without VPN encrypted tunnelling!!!
Note, packet capture taken by using tshark on ppp0 interface on virtual node running Debian connected to Android phone via OpenSwan (IPSEC) xl2tpd (L2TP).
Results captured on an LG Optimus V (VM670), Android 2.2.1, stock, rooted, purchased in March 2011.
As of today, the only unencrypted requests I could find in a pcap taken during a complete resync were:
GET /data/feed/api/user/<username>?imgmax=1024&max-results=1000&thumbsize=144u,1024u &visibility=visible&kind=album HTTP/1.1 GData-Version: 2 Accept-Encoding: gzip Authorization: GoogleLogin auth=<snipped> If-None-Match: <snipped; don't know if it's sensitive info> Host: picasaweb.google.com Connection: Keep-Alive User-Agent: Cooliris-GData/1.0; gzip
Picasa was the only service I could find being synced unencrypted. Facebook requested a couple profile images (but didn't pass any account info); Skype requested ads; and TooYoou grabbed a new banner image. None of those relate to sync, really.
So it looks like Google's syncing security has been tightened quite a bit. Turn off syncing Picasa Web Albums and all of your Google data should be synced in encrypted form.
This bothered me a little:
GET /market/download/Download?userId=<snipped>&deviceId=<snipped> &downloadId=-4466427529916183822&assetId=2535581388071814327 HTTP/1.1 Cookie: MarketDA=<snipped> Host: android.clients.google.com Connection: Keep-Alive User-Agent: AndroidDownloadManager
The return of this is a 302 Moved Temporarily that points to a highly complex download URL:
HTTP/1.1 302 Moved Temporarily Cache-control: no-cache Location: http://o-o.preferred.iad09g05.v5.lscache6.c.android.clients.google.com /market/GetBinary/com.wemobs.android.diskspace/1?expire=1322383029&ipbits=0 &ip=0.0.0.0&sparams=expire,ipbits,ip,q:,oc:<snipped> &signature=<snipped>.<snipped>&key=am2 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Date: Fri, 25 Nov 2011 08:37:09 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Transfer-Encoding: chunked
Android's download manager turns right around and requests that download location, passing the
MarketDA cookie again.
I don't know if there's any security danger from how Market downloads APKs. The worst I can imagine is that unencrypted APK downloads open up the possibility of interception & replacement with a malicious package, but I'm sure Android has signature checks to prevent that.