Path - Privacy & Security Problems
I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling...
Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is a good thing.
Apart from images. If your friends are posting images, they are sent over http. No security. Anyone monitoring your network connection will be able to see all the images you're viewing.
Now, that's bad enough - but it turns out that all the images you send are visible to the the world even if you've set your post to private.
The images are sent over SSL, but as soon as you return to your "Path", a thumbnail is shown of what you've just posted!
Here's a picture of the logs, so you can see what's happening.
So, every image you post or see - including the avatars of your friends - are visible to all. A rather serious security and privacy problem.
Oh, does anyone know what the unencrypted call to "sendgrid.net" is all about?
Kai Hendry says:
How do you snoop traffic on your Android? I'm guess you can make Ubuntu behave as an AP and tcpdump traffic, but I'm not sure how you get a UI like that. Firesheep?
Terence Eden says:
Much easier than that, I use Android debugger DDMS - it basically streams the logs in realtime over USB.