Free tool reveals mobile apps sending unencrypted data
- 13 May, 2015 12:25
Datapp collects unencrypted data traffic and shows what is being transmitted, such as a message or a photograph.
A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn't protected.
The program, called Datapp, comes from the University of New Haven's Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data.
The reaction to that study prompted the group to create an application where people could test for themselves which applications don't encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG's director.
There are many security tools that can collect wireless data traffic, but they're usually designed for people with some technical background. Datapp is essentially a traffic "sniffer," along the lines of network traffic analysis tool Wireshark, but much simpler.
"Think of it as Wireshark with an access point for dummies," Baggili said.
Datapp is so far only compatible with computers running Windows 7 or 8. It turns a computer into a wireless access point with which any type of mobile phone can connect.
It can then display unencrypted traffic and reconstruct, for example, messages or images that are sent. For example, Facebook doesn't encrypt content sent using its Messenger, so Baggili said a user could see a selfie he or she sent using the service.
Datapp also logs whether a connection is just http or https, the signifier that a connection is encrypted. It also shows on a map of the world the start and end points of the device's communications.
Apps that don't use encryption are vulnerable to snooping. For example, data sent over a Wi-Fi hotspot could be collected by someone nearby. Groups including the Electronic Frontier Foundation and companies such as Google have made a large public push to encourage developers to use encryption to prevent everything from spying to cybercrime.
The move to https has been slower for some companies that run large infrastructures, as it can require significant development work.
Baggili said UNHcFREG developed the app without any outside funding and is accepting donations to add more features to it. Its lead developer is Roberto Mejia of Brooklyn, New York, who is a master's candidate in computer science. It can be downloaded here.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk