Android backup feature – secure or not ?

Posted by | July 20, 2013 | News | No Comments


In the light of recent events that Internet titans like Apple, Google, Yahoo or others are obligated by the US Government to disclose to their agencies sensitive user data, have turned researchers to a more thorough investigation of the technologies developed and used by these giants.

Android backup feature - secure or not

An engineer from EFF and CTO of Freedom of the Press Foundation, Micah Lee, has recently found out that the feature “Back up my data” present on the Android SO is a potential threat because it delivers a lot of private data (including passwords) as plain text to Internet giant Google.

“Since backup and restore is such a useful feature, and since it’s turned on by default, it’s likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it’s likely that Google has plaintext Wi-Fi passwords for the majority of password-protected wifi networks in the world,” he shared in Android’s bug tracker.

If you remeber that Google’s Street View cars were identified as collecting Wi-Fi data on their road, it is easy to think that such information can be merged and used for tracking an individual’s path over time.

“If an NSA analyst, or likely someone from CIA or even FBI, asks Google for information about you, your house’s and office’s wifi passwords are likely included in that data. Without a warrant,” he also added in a blog post mentioning that any hacker possessing this kind of information can do a lot of harm.

“With your home wifi password, an attacker can sniff wifi traffic outside your house (without connecting to your network) and then decrypt it all, passively eavesdropping on your private network. If the attacker wants to do more active attacks, they can connect to your wifi network and mount a man-in-the-middle attack to eavesdrop on and modify any unencrypted Internet traffic. If you download a file, they can serve you a malicious version instead,” he also mentioned.

“An attacker can scan for desktop pc’s, laptops, smartphones and tablets that are connected to your network, scan for open ports, and exploit vulnerable services. If you have a laptop or desktop connected to your network that you haven’t updated or patched for a couple weeks, or that you’ve never configured a firewall on, or that you’ve installed random servers on and have never touched them since, then it is a good chance the attacker might take over those computers.”

He did not specify that NSA or other government agency would to such things, but is easy to see that there is a great chance for them to access those kind of information.

Because Google cannot, legally speaking, refuse such a request from the government, the best option in Lee’s opinion is that Google should offer its users the ability to encrypt synced passwords or to encrypt all data with their chosen passphrases.

About Network Security

At SecurityNet.org we believe each of us plays an important role in network security, and data protection. The articles on this site were written to keep each of us informed on the ever changing security scene so that we might stay one step ahead of those who would compromise our systems. If you have an article that you feel our visitors would benefit from please submit it via the contact form, or via email and we will publish it in the next available slot.