Archive for August, 2010
I recently bought a HTC EVO 4G , healing and as usual configured my twitter account with default HTC peep.
as a security prone person, i checked my mobile wifi connection using ARP sniffer ( ettercap ) and turned out that HTC peep is connecting to twitter and twitimg with plain text authentication ( showing my username and password to the public) . Its not even connecting to Twitter API with https .
So i decided not use it and moved to a better alternative ( hope so ).
Its Twitter app for android.
and did the same test. Its also not connecting twitter api using https. its also sending plain text password.
Now I have couple of doubts .
1) Am i doing any thing wrong?
2) Is it only for me ?
3) What is an alternative ? ( all i know is to use usual twitter web based site i.e. mobile edition with https)
How do this comes under security issue?
Well, here is a scenario. If you are using your phone on a public wifi hotspot , and some hacker is eavesdropping on the wifi packets. and if he is well enough to turn on ARP Scan.. then boom your twitter username and password will be shown. Now What he can do with this information?. There are couple of ways he can use this information, he may social engineer your password and use to grab access to your other online life ( recent studies show 70% plus people use same passwords for their online use) or may be he can use your information to gain the friends list. We won’t know any thing ( I don’t think twitter has a way to detect different IP loggings .)
So i am looking for the answers and more ways to find a solution.
If you are an android user and use any application, make sure you are not leaking any information un knowingly.