At a security class yesterday, the trainer asked if we access Facebook with the Facebook App on our mobile phones. Most of us do. More importantly, do we use Wifi while doing so? As you know, Wifi traffic can be easily snooped, particularly on open Wifi networks such as Wireless@SG.
If hackers can capture the traffic between your device and Facebook servers, they could easily obtain your Facebook session key and, subsequently, use it to hijack your Facebook session.
There is another important factor, of course. Does the Facebook App communicate with Facebook servers using HTTP or HTTPS (i.e. encrypted with SSL)?
The trainer said it was HTTP. Oops. I’ve thought about the question before, but I’ve always assumed Facebook would not build such a crappy app. Facebook seems to be reasonably mindful about security, so I assumed the app would use HTTPS. Assumptions, of course, are no good.
I don’t normally use Wifi on my smartphone. So on the one hand, this does not really concern me, but it still did, because I didn’t know if it was HTTP or HTTPS, and it’s always possible that one day I would wrongly assume that my using the Facebook App on an open Wifi network would be “okay”. Actually, I don’t even have to actively use the Facebook App, since it could well connect to Facebook servers in the background to check for notifications. So if one fine day I wanted to use a free Wifi network for whatever reason, my Facebook App could be leaking my session ID without my knowledge.
So, curiosity got the better of me. Today, I had to check it out. I configured my phone to use Wifi, and then snooped on the outgoing traffic to the Internet. Here’s a snippet from tcpdump.
12:05:43.858472 IP 184.108.40.206.50622 > 220.127.116.11.https: S 2381719600:2381719600(0) win 14600 <mss 1380,sackOK,timestamp 12717020 0,nop,wscale 2>
So basically that means the Facebook App uses HTTPS. This is version 1.8.4 of the Facebook for Android app. I can’t guarantee it will be HTTPS for you. If you are as concerned as I am, you probably should check it out yourself too!
Having thought about the whole situation, I think the safest bet is to avoid using Wifi, particularly open Wifi networks. Some crappy applications could, in the background, connect insecurely and send secrets out in plaintext. It’s too easy for drive-by hackers to collect credentials and other personal information.
Although the real problem is with applications communicating insecurely, using 3G data sort of helps a little bit because, well, you are less exposed. The telco, ISP, or other network infrastructure that carries your traffic could still snoop your traffic, but well, we hope those people are not bad people. At the very least, by ensuring you only use 3G for your data connectivity, you’ve locked out drive-by hackers who prey on Wifi.
I don’t usually connect to Wifi since 3G is available everywhere and there’s no way I can ordinarily use up my monthly bandwidth quota. But I’ve not really thought about Wifi being bad. Now I do. This will be a good reason to remind myself not to turn on Wifi on my smartphone.