Android smartphones send user private data unencrypted to Facebook

A new research found that cellphones based on Android platform fail to encrypt users’ data sent to Facebook and Google Calendar. Rice University professor Dan Wallach conducted a simple exercise for his undergraduate students where he connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform.

Thus, the official Facebook application transmitted everything except for the password in the clear, Wallach blogged on Tuesday. It means that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook's recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks.

“People for right or wrong treat Facebook as something that's more personal and private,” Wallach told The Reg. “With Facebook, we never saw a password going back and forth, but there was unencrypted traffic, which is interesting because I've set my Facebook web client to use their new SSL-all-the-time feature. But that does't reflect onto the Facebook app on Android.”

Google Calendar also showed a similar unencryption in Wallach's experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks.

None of the apps Wallach tested transmitted passwords in the clear.

In a separate report F-Secure said that there is one shortcoming in Facebook's SSL offerings: it appears rogue Facebook apps can disable the feature.