ALERT: Snooping Facebook On Android Is Simple

Hackers can eavesdrop on the Android version of Facebook using free code readily available online.

Hackers can easily eavesdrop on the Android version of Facebook using free code readily available online.

Rice University Associate Professor of Computer Science Dan Wallach explains that he and his students set up a sniffer to run Wireshark and Mallory and listen in on his Android smartphone. They found vulnerabilities in several applications running on the mobile device, and here’s what he had to say about Facebook:

Facebook does everything in the clear… My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app. Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook’s server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.

What options do Android users have, today, to protect themselves against eavesdroppers? Android does support several VPN configurations which you could configure before you hit the road. That won’t stop the unnecessary transmission of your fine GPS coordinates, which, to my mind, neither SoundHound nor ShopSaavy have any business knowing. If that’s an issue for you, you could turn off your GPS altogether, but you’d have to turn it on again later when you want to use maps or whatever else. Ideally, I’d like the Market installer to give me the opportunity to revoke GPS privileges for apps like these.

People accessing Facebook via a computer can set up their account to default to the secure version of the site using the address, but right now, mobile users need to seek out third-party encryption applications to get the same effect.

Readers, what do you recommend for securing access to Facebook from different models of mobile phone?