The vulnerability of Android voice and text messaging apps could be easily demonstrated and applied in law enforcement investigations, a researcher at the University of South Australia has found.
According to Dr Kim-Kwang Raymond Choo of the Uni of SA's Information Assurance Research Group, given the appropriate legal permissions to intercept a suspect, Android was “low hanging fruit” of the mobile devices.
Addressing Informa’s annual Police Technology Forum in Canberra late last week, Choo rated Blackberry and iPhone (from version 5) as the toughest devices to intercept.
“If I wanted security or wanted to evade legal interception, I would use a current model iPhone or Blackberry.” he said.
Choo presented a paper studying the security of 10 Android VOIP applications, which found Yahoo was the only VoIP app to run communications unencrypted.
The other nine applications tested were Skype, Google Talk, ICQ, Viber, Nimbuzz, Fring, Vonage, WeChat, and Tango.
Network capture was easy with Android utilities such as Shark for Root and WireShark, Choo said.
“Once you capture the communication, as long as you know the app used, you will be able to play back the original conversation.”
For Yahoo, the captured text messages sent by the user of the device were in plaintext. The captured text messages received by the user were encrypted.
Choo found voice communications were encrypted for Skype, Google Talk, Nimbuzz and Tango. However Fring, Vonage and Tango appeared to “silently” turn off encryption whenever a mobile network was involved.
He found no voice communication encryption for ICQ, Viber, Yahoo, Fring, Vonage and WeChat.
Yahoo did not respond to request for comment on Choo’s findings.
Accessing cloud storage accounts also vulnerable
Choo found cloud storage passwords could be easily retrieved from a Windows desktop or laptop, with SkyDrive (now OneDrive), DropBox and Google Drive vulnerable to interception.
“We were able to recover username and password of the three public cloud storage services if the user had used their browsers to access these services – and in most cases the passwords were in plain text,” he said.
The username for each service was able to be located, either in database files on the hard drive, cookie files, or in memory captures.
The password for each service was able to be found either in memory near common terms, or stored on the hard drive in plain text. However, DropBox versions after 1.2.52 encrypted its passwords.
It was possible to gain full access to a Google Drive account when the client software was installed, by using the ‘visit Google Drive on the web’ option from the icon in the System Tray, without knowing the username or password.
With SkyDrive, it was possible to synchronise to an account if the client software was installed on a PC with an associated username and password, by running the PC within a virtual machine connected to the internet.
But attempting to connect to the user account with the Microsoft SkyDrive client software system tray icon required knowledge of the username and password to gain access to an account.