Dan Wallach, who maintains a blog on the other side of the sphere, set up a wireless sniffer to listen to the overheard wireless signals on his Android smartphone, to determine how common web services transmitted data.
Truly, a testament to undergraduate studies: to think of such an idea and to give it a go; engaging with students and show them real life practical security skills, something you don't see often anymore.
By studying the way that Google, Twitter and Facebook send your data from your mobile device to the cloud or the service, it gives an insight into how the aforementioned services treat our data and gives them a level of security grading.
Google seems to come off the best, with Twitter and Facebook not doing too well.
- Google properly encrypts traffic to Gmail and Google Voice, but they don't encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
- Twitter does everything in the clear, but then your tweets generally go out for all the world to see, so there isn't really a privacy concern. Twitter uses OAuth signatures, which appear to make it difficult for a third party to create forged tweets.
- Facebook does everything in the clear, much like Twitter. My Facebook account's web settings specify full-time encrypted traffic, but this apparently isn't honoured or supported by Facebook's Android app. Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well. Also notable: one of the requests we saw going from my phone to the Facebook server included an SQL statement within. Could Facebook's server have a SQL injection vulnerability? Maybe it was just FQL, which is ostensibly safe.