Android backup feature – secure or not ?
In the light of recent events that Internet titans like Apple, Google, Yahoo or others are obligated by the US Government to disclose to their agencies sensitive user data, have turned researchers to a more thorough investigation of the technologies developed and used by these giants.
An engineer from EFF and CTO of Freedom of the Press Foundation, Micah Lee, has recently found out that the feature “Back up my data” present on the Android SO is a potential threat because it delivers a lot of private data (including passwords) as plain text to Internet giant Google.
“Since backup and restore is such a useful feature, and since it’s turned on by default, it’s likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it’s likely that Google has plaintext Wi-Fi passwords for the majority of password-protected wifi networks in the world,” he shared in Android’s bug tracker.
If you remeber that Google’s Street View cars were identified as collecting Wi-Fi data on their road, it is easy to think that such information can be merged and used for tracking an individual’s path over time.
“If an NSA analyst, or likely someone from CIA or even FBI, asks Google for information about you, your house’s and office’s wifi passwords are likely included in that data. Without a warrant,” he also added in a blog post mentioning that any hacker possessing this kind of information can do a lot of harm.
“With your home wifi password, an attacker can sniff wifi traffic outside your house (without connecting to your network) and then decrypt it all, passively eavesdropping on your private network. If the attacker wants to do more active attacks, they can connect to your wifi network and mount a man-in-the-middle attack to eavesdrop on and modify any unencrypted Internet traffic. If you download a file, they can serve you a malicious version instead,” he also mentioned.
“An attacker can scan for desktop pc’s, laptops, smartphones and tablets that are connected to your network, scan for open ports, and exploit vulnerable services. If you have a laptop or desktop connected to your network that you haven’t updated or patched for a couple weeks, or that you’ve never configured a firewall on, or that you’ve installed random servers on and have never touched them since, then it is a good chance the attacker might take over those computers.”
He did not specify that NSA or other government agency would to such things, but is easy to see that there is a great chance for them to access those kind of information.
Because Google cannot, legally speaking, refuse such a request from the government, the best option in Lee’s opinion is that Google should offer its users the ability to encrypt synced passwords or to encrypt all data with their chosen passphrases.