Free tool reveals mobile apps sending unencrypted data

Datapp is designed for less technical users to see what data isn't protected

Datapp collects unencrypted data traffic and shows what is being transmitted, such as a message or a photograph.

Datapp collects unencrypted data traffic and shows what is being transmitted, such as a message or a photograph.

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn't protected.

The program, called Datapp, comes from the University of New Haven's Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data.

The reaction to that study prompted the group to create an application where people could test for themselves which applications don't encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG's director.

There are many security tools that can collect wireless data traffic, but they're usually designed for people with some technical background. Datapp is essentially a traffic "sniffer," along the lines of network traffic analysis tool Wireshark, but much simpler.

"Think of it as Wireshark with an access point for dummies," Baggili said.

Datapp is so far only compatible with computers running Windows 7 or 8. It turns a computer into a wireless access point with which any type of mobile phone can connect.

It can then display unencrypted traffic and reconstruct, for example, messages or images that are sent. For example, Facebook doesn't encrypt content sent using its Messenger, so Baggili said a user could see a selfie he or she sent using the service.

Datapp also logs whether a connection is just http or https, the signifier that a connection is encrypted. It also shows on a map of the world the start and end points of the device's communications.

Apps that don't use encryption are vulnerable to snooping. For example, data sent over a Wi-Fi hotspot could be collected by someone nearby. Groups including the Electronic Frontier Foundation and companies such as Google have made a large public push to encourage developers to use encryption to prevent everything from spying to cybercrime.

The move to https has been slower for some companies that run large infrastructures, as it can require significant development work.

Baggili said UNHcFREG developed the app without any outside funding and is accepting donations to add more features to it. Its lead developer is Roberto Mejia of Brooklyn, New York, who is a master's candidate in computer science. It can be downloaded here.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityUniversity of New Haven Cyber Forensics Research and Education Group

More about Electronic Frontier FoundationFacebookGoogleMessenger

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts