14

I have an Android phone. When it's connected only to my carrier's 3G network I imagine it's reasonably secure against eavesdropping (although not invulnerable). However, at times due to lack of reception or other reasons, I may connect to a public Wifi network and use my phone that way.

It worries me though. If I use my GMail app, or a banking app, or even something less important like Twitter, is my data being sent securely? Or is it likely that somebody else could be reading my messages sent in this manner?

If I load GMail or Twitter in a browser, I can see if the protocol in the URL is https, and if the certificates appear valid. Most browsers have a prominent icon to let you know when they are in secure mode and everything checks out. The Android apps I've seen have nothing like this, so as far as I can tell I have nothing more than blind hope that the developers have secured the traffic in their apps.

Are the Android apps I have sending my personal information over Wifi securely? How can I tell? And is there standard or feature of the OS that Google can use to enforce this? Or is it every developer for themselves?

Improve this question
2
  • 4
    Amazingly, this question is the #7 Google result for "android gmail tls", and I only asked the question 9 minutes ago. Stack Exchange has crazy SEO!
    – Joshua Carmody
    Commented Dec 30, 2011 at 19:26
  • 1
    The only thing you should ever do on a public wifi is the following: Open an encrypted vpn connection (preferable to a vpn node you can trust) and route all other traffic through this vpn connection.
    – Bonsi Scott
    Commented Jan 24, 2014 at 16:38

3 Answers 3

Reset to default
11

The encryption and authentication inherent to the 3G network protect you only within the infrastructure of the 3G provider, but not beyond. If you do a plain unencrypted HTTP connection with your phone, the data is unprotected once if gets outside of the provider's network, and enters the Internet at large, where wild beasts roam. If an app is sending unprotected private data, you have a problem, regardless of whether the sending goes first through WiFi or through 3G. The WiFi just makes the problem more locally obvious.

To get an idea of how things are handled on your phone, you may run a packet capture application, just like you could do with a PC. It will probably needs the phone to be rooted, though. Moreover, even if the capture shows an SSL/TLS session, you still do not know how the client authenticates the server certificate (in particular, what root certificates are accepted by the application, and how it matches the certificate with the intended server name), so you cannot gain full assurance that a random app does things properly.

There is nothing in the OS which enforces use of TLS; but at least a reasonably good TLS client is provided, and most app which want to do some SSL/TLS will actually use HTTPS, for which the default implementation does things in a reasonably sane way (just like a Web browser). So we can say that an app developer who uses SSL/TLS but botches it must have been inordinately creative in his sloppiness.

Improve this answer
1
  • 5
    You can also try to connect your Android phone through a WiFi router under your control and launch packet capturing (with Wireshark or tcpdump) there - that won't require having your phone rooted.
    – Krzysztof Kotowicz
    Commented Dec 30, 2011 at 20:41
2

The GMail app, your banking app, or "something less important like Twitter" do not have any requirement to send your data securely over the WiFi (or any wired) connection. You have to investigate each application to be able to conclude whether or not your data is being sent securely.

Using "public" WiFi does expose you to some attacks than are not possible using a wired connection, because you have no way of being certain that the access point is "friendly" to you, or that your peers on that same hotspot are similarly "nice".

It is possible to overcome the security mechansims of HTTPS, TLS and even (gasp) MD5 hashes. There is no such thing as a "perfectly secure" network protocol/communications suite. There are only "more secure" and "less secure" ones. There are, however, things that you can add as extra layers of protection while you utilize these public hotspots.

Things like VPN's, SSL tunneling, private browsing, TOR, privoxy, "require HTTPS" settings, and many others can be utilized to enhance the security of your communications over these public hotspots.

Android allows you to setup a VPN rather easily. You should consider always VPN-ing from public hotspots back to your home server, and then proxy your traffic out to the Internet from there.

Using a VPN is a good way to enhance the security of an unknown/untrusted WiFi hotspot.

To answer your final question - it is, indeed "every developer for themselves in the Android biosphere!"

Improve this answer
0

Apparently you can also add your own self signed certificate to the cert store and man-in-the-middle your app connections through local wifi connection.

I would also try ssl strip on the applications because some applications can use http insecurely when https does not work.

See the following podcasts for more details

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .