什么Android Sync'd数据被加密? -- 2.2-froyo 领域 和 sync 领域 和 security 领域 和 encryption 领域 和 privacy 领域 android 相关 的问题

What Android sync'd data is encrypted?


简体版||繁體版
24
vote

问题

中文

释放 firefex插件for firefox 它已成为在开放Wi-Fi网络上浏览网站浏览的微不足道被第三方听众劫持。

Android提供方便的自动同步选项。但是,我担心我的数据可能是自动同步的,而我在当地咖啡店或购物中心连接到开放的Wi-Fi网络时。

是使用SSL或类似加密机制加密的所有数据Android自动同步?是任何自动同步数据未加入和传输,以便所有人倾听?

更新:完全不安全!!!!见下文!!!!

english

With the release of the firesheep plug-in for firefox it has become trivial for website browsing on open Wi-Fi networks to be hijacked by 3rd party listeners.

Android offers the convenient auto-sync option. However I fear that my data may be auto-sync'd while I am connected to an open Wi-Fi network while at the local coffee shop or shopping mall.

Is all the data Android auto-syncs encrypted using SSL or a similar encryption mechanism? Is any auto-sync'd data unencrypted and transmitted in the clear for all to listen in to?

Update: COMPLETELY INSECURE!!!! See below!!!!

              
   
   

回答列表

13
 
vote
vote
最佳答案
 

注意:回答我自己的问题,因为没有人知道。

在选择菜单后我做了一个数据包捕获 - >账户& sync - >自动同步(也可通过"电源控制" 窗口小部件访问)。我发现了什么?

到我的恐怖(来自下面的手机的HTTP请求):

  GET /proxy/calendar/feeds/myaccount%40gmail.com HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Calendar/1.4 (vision FRF91); gzip   

  GET /proxy/contacts/groups/myaccount@gmail.com/base2_property-android?showdeleted=true&orderby=lastmodified&updated-min=2010-12-01T08%3A49%3A00.561Z&sortorder=ascending&max-results=10000&requirealldeleted=true HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ GData-Version: 3.0 Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Contacts/1.3 (vision FRF91); gzip   

我的联系人日历正在传输未加密!我目前不同步gmail,所以我不能说如果是没有加密。

还有股票市场应用程序(必须是服务,因为我没有显示窗口小部件或应用程序活动):

  POST /dgw?imei=TEST&apptype=finance&src=HTC01 HTTP/1.1 User-Agent: curl/7.19.0 (i586-pc-mingw32msvc) libcurl/7.19.0 zlib/1.2.3 Content-Type: text/xml Content-Length: 338 Host: api.htc.go.yahoo.com Connection: Keep-Alive Expect: 100-Continue  <?xml version="1.0" encoding="UTF-8"?> <request devtype="HTC_Model" deployver="HTCFinanceWidget 0.1" app="HTCFinanceWidget" appver="0.1.0" api="finance" apiver="1.0.1" acknotification="0000"> <query id="0" timestamp="0" type="getquotes"> <list><symbol>VOD.L</symbol><symbol>BARC.L</symbol></list></query> </request>   

完全对股票的未加密请求:只想,您可以坐在您所在城市金融中心的星巴克和包嗅的东西,这些报价对您周围的所有智能手机用户都很重要。

未加密的其他项目:

  • http请求 htc.accuweather.com
  • 时间请求 time-nw.nist.gov:13 (甚至没有使用ntp)

关于我手机上加密的数据是我与K-9应用程序设置的邮件帐户(因为我的所有邮件帐户都使用SSL - 且幸运的是Gmail帐户默认情况下,SSL;和雅虎!邮件支持使用SSL )。但似乎从箱子外部手机加密了自动同步数据的 none

这是在一个 htc desire z 安装了froyo 2.2。课程:不要在没有VPN加密隧道的Open Wireless网络上使用电话 !!!

注意,通过OpenSwan(IPsec)XL2TPD(L2TP)运行Debian的虚拟节点上的PPP0接口上使用Tshark拍摄的数据包捕获。

 

Note: answering my own question as nobody knew.

I did a packet capture after selecting Menu -> Accounts & Sync -> Auto-sync (also accessible via the "Power Control" widget). What did I discover?

To my horror (http requests from phone displayed below):

GET /proxy/calendar/feeds/myaccount%40gmail.com HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Calendar/1.4 (vision FRF91); gzip 

and

GET /proxy/contacts/groups/myaccount@gmail.com/base2_property-android?showdeleted=true&orderby=lastmodified&updated-min=2010-12-01T08%3A49%3A00.561Z&sortorder=ascending&max-results=10000&requirealldeleted=true HTTP/1.1 Accept-Encoding: gzip Authorization: GoogleLogin auth=_hidden_ GData-Version: 3.0 Host: android.clients.google.com Connection: Keep-Alive User-Agent: Android-GData-Contacts/1.3 (vision FRF91); gzip 

My contacts and calendar are being transmitted unencrypted! I don't currently synchronize gmail so I couldn't say if that is unencrypted either.

Also the stock market application (which must be a service because I don't have the widget displayed or the application active):

POST /dgw?imei=TEST&apptype=finance&src=HTC01 HTTP/1.1 User-Agent: curl/7.19.0 (i586-pc-mingw32msvc) libcurl/7.19.0 zlib/1.2.3 Content-Type: text/xml Content-Length: 338 Host: api.htc.go.yahoo.com Connection: Keep-Alive Expect: 100-Continue  <?xml version="1.0" encoding="UTF-8"?> <request devtype="HTC_Model" deployver="HTCFinanceWidget 0.1" app="HTCFinanceWidget" appver="0.1.0" api="finance" apiver="1.0.1" acknotification="0000"> <query id="0" timestamp="0" type="getquotes"> <list><symbol>VOD.L</symbol><symbol>BARC.L</symbol></list></query> </request> 

Completely unencrypted request for stock quotes: just think, you could sit in Starbucks in the financial centre of your city and packet-sniff what quotes were important to all the smart phone users around you..

Other items that were not encrypted:

  • http request to htc.accuweather.com
  • time request to time-nw.nist.gov:13 (doesn't even use NTP)

About the only data that is encrypted on my phone are the mail accounts I set up with the K-9 application (because all my mail accounts use SSL - and fortunately gmail accounts are, by default, SSL; and yahoo! mail supports imap using SSL too). But it seems none of the auto-sync'd data from the out-of-box phone is encrypted.

This is on a HTC Desire Z with Froyo 2.2 installed. Lesson: do not use phone on open wireless network without VPN encrypted tunnelling!!!

Note, packet capture taken by using tshark on ppp0 interface on virtual node running Debian connected to Android phone via OpenSwan (IPSEC) xl2tpd (L2TP).

 
 
       
       
4
 
vote

在2011年3月的LG Optimus v(VM670),Android 2.2.1,股票,植根铁,股票,植根于3月份购买。

as今天,我在完整的重新同步期间拍摄的PCAP中唯一的未加密请求是:

Picasa网格相册

  GET /data/feed/api/user/<username>?imgmax=1024&max-results=1000&thumbsize=144u,1024u     &visibility=visible&kind=album HTTP/1.1 GData-Version: 2 Accept-Encoding: gzip Authorization: GoogleLogin auth=<snipped> If-None-Match: <snipped; don't know if it's sensitive info> Host: picasaweb.google.com Connection: Keep-Alive User-Agent: Cooliris-GData/1.0; gzip   

这就是它。

p> picasa是我唯一可以发现同步未加密的服务。 Facebook要求夫妇配置文件图片(但未通过任何帐户信息); Skype请求广告;而tooyoou抓住了一个新的横幅形象。没有人与同步相关,真的。

所以它看起来像Google的同步安全已经收紧了一点。 关闭同步Picasa网格相册以及您的所有Google数据应该以加密的形式同步。

市场

这让我困扰了一下:

  GET /market/download/Download?userId=<snipped>&deviceId=<snipped>     &downloadId=-4466427529916183822&assetId=2535581388071814327 HTTP/1.1 Cookie: MarketDA=<snipped> Host: android.clients.google.com Connection: Keep-Alive User-Agent: AndroidDownloadManager   

返回是一个302暂时移动,指向高度复杂的下载URL:

  HTTP/1.1 302 Moved Temporarily Cache-control: no-cache Location: http://o-o.preferred.iad09g05.v5.lscache6.c.android.clients.google.com           /market/GetBinary/com.wemobs.android.diskspace/1?expire=1322383029&ipbits=0           &ip=0.0.0.0&sparams=expire,ipbits,ip,q:,oc:<snipped>           &signature=<snipped>.<snipped>&key=am2 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Date: Fri, 25 Nov 2011 08:37:09 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Transfer-Encoding: chunked   

Android的下载管理器右侧转动并请求下载位置,通过 MarketDA再次传递 cookie。

我不知道市场如何下载APKS的安全危险。最糟糕的是我可以想象的是,未加密的APK下载开辟了拦截&amp的可能性;用恶意包替换,但我确定Android有签名检查以防止。

 

Results captured on an LG Optimus V (VM670), Android 2.2.1, stock, rooted, purchased in March 2011.

As of today, the only unencrypted requests I could find in a pcap taken during a complete resync were:

Picasa Web Albums

GET /data/feed/api/user/<username>?imgmax=1024&max-results=1000&thumbsize=144u,1024u     &visibility=visible&kind=album HTTP/1.1 GData-Version: 2 Accept-Encoding: gzip Authorization: GoogleLogin auth=<snipped> If-None-Match: <snipped; don't know if it's sensitive info> Host: picasaweb.google.com Connection: Keep-Alive User-Agent: Cooliris-GData/1.0; gzip 

That's it.

Picasa was the only service I could find being synced unencrypted. Facebook requested a couple profile images (but didn't pass any account info); Skype requested ads; and TooYoou grabbed a new banner image. None of those relate to sync, really.

So it looks like Google's syncing security has been tightened quite a bit. Turn off syncing Picasa Web Albums and all of your Google data should be synced in encrypted form.

Market

This bothered me a little:

GET /market/download/Download?userId=<snipped>&deviceId=<snipped>     &downloadId=-4466427529916183822&assetId=2535581388071814327 HTTP/1.1 Cookie: MarketDA=<snipped> Host: android.clients.google.com Connection: Keep-Alive User-Agent: AndroidDownloadManager 

The return of this is a 302 Moved Temporarily that points to a highly complex download URL:

HTTP/1.1 302 Moved Temporarily Cache-control: no-cache Location: http://o-o.preferred.iad09g05.v5.lscache6.c.android.clients.google.com           /market/GetBinary/com.wemobs.android.diskspace/1?expire=1322383029&ipbits=0           &ip=0.0.0.0&sparams=expire,ipbits,ip,q:,oc:<snipped>           &signature=<snipped>.<snipped>&key=am2 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Date: Fri, 25 Nov 2011 08:37:09 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Transfer-Encoding: chunked 

Android's download manager turns right around and requests that download location, passing the MarketDA cookie again.

I don't know if there's any security danger from how Market downloads APKs. The worst I can imagine is that unencrypted APK downloads open up the possibility of interception & replacement with a malicious package, but I'm sure Android has signature checks to prevent that.

 
 
     
     

相关问题

24  什么Android Sync'd数据被加密?  ( What android syncd data is encrypted ) 
释放 firefex插件for firefox 它已成为在开放Wi-Fi网络上浏览网站浏览的微不足道被第三方听众劫持。 Android提供方便的自动同步选项。但是,我担心我的数据可能是自动同步的,而我在当地咖啡店或购物中心连接到开放的Wi-Fi网络时。 是使用SSL或类似加密机制加密的所有数据Android自动同步...

0  它可以为android / data文件夹保存的壁纸缓存进行黑客攻击? (没有植根)  ( It that possible for the wallpaper cache saved in android data folder being hac ) 
我的男朋友在开玩笑,将我的私人照片设置为壁纸。 我删除了照片,但壁纸仍然存在... 浏览网上的某些信息后,我发现壁纸保存到over over rooting后才能访问。 如果我更改壁纸,之前的壁纸会自动删除吗? 如果不是,因为它在一个文件夹中保存,因为它只能在rooting后访问,因为它是安全的?或者它仍然有可能被...

90  为什么这么多应用程序需要允许阅读电话状态和身份?  ( Why do so many applications require permission to read the phone state and ident ) 
为什么许多应用程序需要允许阅读电话状态和身份?具体: Phone calls read phone state and identity 例如QuickPedia是一个维基百科门户,但想要访问手机。这是什么解释? ...

3  是否有可能在不访问联系人列表的情况下进行呼叫?  ( Is it possible to make a call without having access to the contacts list ) 
是否可以拨打电话而不访问手机的联系人? IE。假设我让朋友使用手机,并锁定我的联系人,以便它需要一个PIN用于访问 - 有没有办法允许呼叫不一定在联系人中的任意号码? ...

2  如何从Android 10上从“最近的文件”中删除文件?  ( How to remove file from recent files on android 10 ) 
在股票Android 10(像素2 xl)的文件应用程序中,有一个"近期" 类别。出于隐私原因,我想删除此类别中的文件。据我所知,文件名搜索此文件,但我的系统似乎没有存在,但仍然显示在列表中。我尝试清除"文件" 应用程序的缓存/存储,但仍然存在。如何从最近的列表中删除此项目,清除整个列表,或获取文件的文件夹位置,以便...

6  为什么应用程序储物柜应用需要这么多权限?我安全吗?  ( Why do app locker apps need so many permissions am i safe ) 
我一直在尝试密码保护一个应用程序,并且似乎权限在应用程序储物柜的应用程序中有所不同。 为什么他们中的许多人都需要完整的电话访问? 如果我在 https://市场上,则存在任何危险的危险。 android.com/details?id=com.morrison.applocklite ? ...

2  App Ops可以在4.4.4上运行吗?  ( Can app ops run on 4 4 4 ) 
我已安装并尝试了几个" app ops " 从Google Play商店的Starter Apps。当我运行它们中的任何一个时,一个对话框弹出说"不幸的是,设置已经停止了" 。我唯一的选择是点击"确定" 。所以,我仍然无法进入App Ops设置。 但是, 这个app 声称工作4.4.4。 我正在运行在股票Moto ...

2  我的联系人是否在我的Android上加密?  ( Are my contacts encrypted on my android ) 
是我的android加密的联系人,它们在哪里? 如何访问它们?任何公共API? (来自PC) ...

26  为什么新的Chrome更新希望许可使用我的相机和音频录制?  ( Why does the new chrome update want the permission to use my camera and audio re ) 
严重,它专门说明它可以使用相机和音频录制任何需要的时间,我是否希望它到。为什么Android上的Chrome请求这些权限? 我应该担心吗? (强调我自己的。) ...

9  如何加密运行CyanogenMod 12.1的设备?  ( How do you encrypt your device running cyanogenmod 12 1 ) 
cyanogenmod 12和12.1 '加密电话'设置破碎,并已相当长。有没有办法以其他方式加密手机? CM可以使用加密/数据目录侧面侧面通往电话?是否有其他方法可以保持数据安全和声音?我正在努力的设备是verizon lg g3。 ...




© 2022 it.wenda123.org All Rights Reserved. 问答之家 版权所有