Planetoid Android » Security

Foursquare passwords sent in clear text!

PlanetoidAndroid — Thu, 15 Jul 2010 13:08:43 +0000

I had a look at Foursquare recently as a few of my colleagues were using it. One of the apps I downloaded was FourSquareX .

I was really surprised by a message on the logon screen saying that passwords are sent in clear text:

I figured this might just be for the API but decided to investigate whether this is also the case on the main site and it seems it is. Running LiveHTTPHeaders you can see the following when you log on to foursquare.com (I’ve put some asterisks in to remove user identifiable stuff):

F***231419577AFW=true&F*****1419575D1V=********%40gmail.com&password=4square

(this is the same on the ‘/mobile/’ site)

And when you change your account password (in this example to ‘nothidden’):
-----------------------------*****591617307847261632891267 Content-Disposition: form-data; name="****2314598660HU" nothidden -----------------------------*****591617307847261632891267 Content-Disposition: form-data; name="****231459867BB4" nothidden

I’m really surprised at this as it means a packet sniffer could easily pick out your password. It also suggests a relaxed attitude towards sending and maybe even storing users data. I wouldn’t be surprised if the smartphone apps (such as the Android one) also send password details in clear text although I haven’t tested this hypothesis.

So, if I keep using it I will definitely use a unique password for Foursquare.com and not store any sensitive data in your account. Like my erm.. email, date of birth, where you’ve been for the past few days for example…

Chrome destined for Android

PlanetoidAndroid — Fri, 05 Sep 2008 15:25:28 +0000

It seems that the Google Chrome browser which has (at the time of writing) already been downloaded by 14 million people is likely to be part of the base Android platform. I have heard rumours that this will be a cut down version with much of the desktop version’s ‘thread safe’ tab browsing but that early versions may not have Google Gears. Here’s hoping that later versions integrate Gears as it would probably be of more benefit in a mobile environment than anywhere else. One of the benefits of Gears is that it allows the use of the web in offline mode and reduces the number of calls to servers by using a local cache. However, this in turn may raise further security issues as to how that local data is protected (i.e. should it be encrypted).

Chrome itself has also been the subject of attacks by the media for lauching with code based on an insecure version of Webkit. Expect a patch soon.

Security team appeal for experts to focus on Android

PlanetoidAndroid — Tue, 02 Sep 2008 10:46:44 +0000

Google Android’s security team have asked security experts to ‘ethically hack’ their platform and report back privately on what they find. I think this is a smart approach but how they’ll get much of what they find resolved in time for the upcoming HTC Dream release will be interesting.

I think that it will be interesting to compare security on the different platforms given the the ‘openness’ of Android relative to closed platforms such as the iPhone, Blackberry, Windows Mobile and Symbian. Although the iPhone is a closed platform it is generally not considered secure enough for most enterprises to embrace it yet. This is perhaps reinforced by the simplicity of the latest password hack for the iPhone.

Blackberry is generally considered secure (if you enforce the appropriate policies) with the occasional hiccup(!). Windows Mobile is becoming more security conscious with each release and at least has the concept of signing applications as does Symbian.