Path – Privacy & Security Problems

by @edent | # # # # # # # | 2 comments | Read ~270 times.

I’m trying out the new Android app for Path – the new social networking service. I’ve discovered something rather troubling…

Most of the app’s communication with the Path servers is over SSL. This means that no-one can see the data you’re sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is a good thing.

Apart from images. If your friends are posting images, they are sent over http. No security. Anyone monitoring your network connection will be able to see all the images you’re viewing.

Now, that’s bad enough – but it turns out that all the images you send are visible to the the world even if you’ve set your post to private.

The images are sent over SSL, but as soon as you return to your “Path”, a thumbnail is shown of what you’ve just posted!

Here’s a picture of the logs, so you can see what’s happening.

path ssl

So, every image you post or see – including the avatars of your friends – are visible to all. A rather serious security and privacy problem.

Oh, does anyone know what the unencrypted call to “” is all about?

2 thoughts on “Path – Privacy & Security Problems

  1. Kai Hendry says:

    How do you snoop traffic on your Android? I’m guess you can make Ubuntu behave as an AP and tcpdump traffic, but I’m not sure how you get a UI like that. Firesheep?

    1. Much easier than that, I use Android debugger DDMS – it basically streams the logs in realtime over USB.

Leave a Reply

Your email address will not be published. Required fields are marked *