Plaintext Wall of Shame
It came to my attention recently that several modern applications still don't use encryption for what may be sensitive information, nor do they provide the option to use SSL for encryption. It is my belief that users should know what steps applications take to ensure the confidentiality of their data, especially passwords. What follows is a list of apps I've tested, colorized by the degree to which I've found they may leak sensitive data by sending it with no or poor encryption. Data leaked in this way is visible to a completely passive eavesdropper, such as someone sniffing the WiFi at your local coffee shop. (Of course, it is probably harder to eavesdrop on the 3G network than on coffee shop WiFi.) All of these leaks are simple to discover for anyone who cares to look.
Disclaimer: All applications are listed with the date on which they were tested. The behavior of these applications may have changed since these results were posted. All applications were tested in their free versions unless otherwise noted.
| Application | Passwords | Messages/Chat | Date |
|---|---|---|---|
| AIM Free for iPhone | SSL | Plaintext, no obvious SSL option. | March 6, 2010 |
| eBuddy for iPhone | eBuddy and account passwords use encoding labeled "rsa" | TK | March 6, 2010 |
| Echofon for iPhone | SSL | N/A | March 6, 2010 |
| SSL | Plaintext; unclear SSL option. | October 9, 2009 | |
| Facebook for iPhone | SSL | Plaintext; no SSL option. | March 6, 2010 |
| GMail Chat | SSL | SSL when enabled. | October 9, 2009 |
| IM+ Lite for iPhone | SSL | appears to be SSL | March 6, 2010 |
| iSoft Twitter for iPhone | SSL | N/A | October 10, 2009 |
| Palringo for iPhone | Encrypted in a proprietary protocol. | plaintext, despite using HTTPS port. | October 10, 2009 |
| SimplyTweet Lite for iPhone | HTTP Basic Authentication. | N/A | October 10, 2009 |
| Tweetdeck for iPhone | HTTP Basic Authentication. | N/A | March 6, 2010 |
| Twitbird for iPhone | SSL | N/A | October 10, 2009 |
| SSL | N/A | October 9, 2009 | |
| Twitter API | Supports insecure HTTP Basic Authentication | N/A | October 9, 2009 |
| Twitterrific for iPhone | SSL | N/A | October 10, 2009 |
| Yahoo Messenger for iPhone | SSL | Plaintext, no obvious SSL option. | October 10, 2009 |
| ZiiBii for iPhone | SSL | N/A | October 10, 2009 |
If you maintain any of the applications listed here and believe you have fixed any problems noted or that they were noted in error, feel free to contact me and I will be happy to take a second look. My contact information is available.
Note: I am ignoring the well-publicized active attacks on SSL and treating it as secure because I am concerned with passive eavesdroppers. Using even a self-signed SSL certificate would be a significant improvement over the leaks highlighted in red. With the rise of free WiFi and mobile devices, we ought to be designing applications under the assumption that they will be used over unencrypted WiFi. The bar is extremely low for eavesdropping on such networks; any kiddie with a laptop can sniff with virtually no risk of detection. If application developers step up and force attackers to use active attacks, we force them to risk detection and put them on the shakier moral ground of directly interfering with network traffic, rather than simply recording radio waves that were being broadcast to everyone.