Don't Use Just Any Wireless While Using Your iPhone - Unless You Want To Put Yourself At Risk
October 19, 2009
You're probably familiar with this Pop-up. It might make you think "why don't I use this open Wifi, it's faster than 3G and I'm saving on my Data plan". Well, you might want to reconsider. Whenever you're on a network, especially on open Wireless Networks, where all the data you exchange with your iPhone is being sent all around you for everyone to read. I decided to look into it and see how much information could be available if someone sneaky were looking for it.
I downloaded a couple of freely available applications on my laptop, fired them up, connected my iPhone to my local wireless network and innocently started to use my iPhone like I do everyday. I checked my email, chatted with a friend, went on a couple of websites and placed a couple of calls via VoIP...
Web Browsing / POP Email / Some Apps
Ninety percent of web browsing goes through insecure channels (like when you see a website that doesn't start with "https://"). Someone just "listening" to the network will be able to see this picture you're downloading, this article you're reading or what you're saying on AIM . This can even be done directly from another iPhone. Same with unencrypted email addresses (mostly POP protocol). When Mail.app is gonna fetch new data, the password stored on your phone is sent in clear text and anybody can see it.
Voip
When you place a call using a VoIP app on a wireless network, the communication is sent as clear data. It means that someone listening to the connection will be able to hear your conversation. When I tried I thought it's actually pretty funny to listen to yourself talk... Or is it scary ?
Good point for Skype which uses a secure protocol, so no worries on this side.
This is where you stand if the person snooping around isn't too skilled or wants to stay completely undetected. This kind of "passive" listening is practically undetectable. Imagine although that you're unlucky enough to be watched by someone with a little bit more experience (I'm talking of a couple of hours of online research top).
Secure Websites / Imap Email (like Gmail and Mobile Me)
This is very troubling for many people. When using unencrypted services, you know what to expect. On the other hand, when you're using a secured website or service, you might be brought to believe that you're safe. You're not.
By implementing a simple Man-in-the-middle attack, my system was able to register all of my passwords, including those from my Gmail and Mobile Me accounts. It means that if somebody was actually trying this on you this morning when you were sipping your Latte at Starbucks while checking emails on your iPhone, he could track you all day using the locate my iPhone feature.
One hitch tho, the iPhone didn't let this happen without any complaints. I got an error message while checking my mail.app
I also had safari warn me at one point. Maybe a little bit more informative this time.
Would anybody bother worrying about this ? No. Most people just click OK and continue, those messages show up 95% of the time because there's been some kind of error. Well you might have just given your password to some punk.
You're probably asking yourself, what can I do about it ? Here are some basic security advice for your daily iPhone usage :
- Try avoiding WiFi networks (Especially public ones, but you might also be at risk home)
- Use a VPN when possible
- Don't click Accept or Continue if you cross one of these errors