Things overheard on the WiFi from my Android smartphone. Today in my undergraduate security class, we set up a sniffer so we could run Wireshark and Mallory to listen in on my Android smartphone.
This blog piece summarizes what we found. Google properly encrypts traffic to Gmail and Google Voice, but they don’t encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn’t really a privacy concern.
Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.Facebook does everything in the clear, much like Twitter. My Facebook account’s web settings specify full-time encrypted traffic, but this apparently isn’t honored or supported by Facebook’s Android app.
Advanced sign-in security for your Google account. Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family?
There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information. Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Google rolling out two-step account security using your Android phone.