Open source software security

Yet Another Reason

24 June 2011
Yesterday I was alerted to yet another reason why I don't trust my mobile platform. Even though I use Google Android, which is "open source" and even though I consider my self relatively privacy aware, an article in Tech Republic points out that Google is storing the keys to my wireless access points. These keys are the equivalent to passwords for these access points. Yes, that's right, Google is storing the keys to access my home network, my work wireless, and even the hospital I visit's wireless, "in the cloud." This fact, combined with ongoing concern over Google indexing wireless access points, leads me to believe that Google could be amassing a database of access points along with the credentials needed to access them. Even if one believes that Google will "do no evil" and not leverage these resources for some nefarious purpose, the mere existence of this aggregated data should be a cause for concern. One need only consider a scenario where law enforcement wants access to your home network to see the issue. There is also the concern that an attacker (China anyone?) might break into Google and steal this information and sell it on the black market. It turns out that you can stop Google from backing up your data in "the cloud" (leaving aside that rediculously vague description of a storage mechanism) by adjusting your Android platform's settings. By going to Settings -> Privacy, and unchecking the "Back up my data" checkbox you'll disable this "feature." You will be prompted with an ominous warning when you do this but leaking your wireless credentials should be cause for concern. Google already collects a massive amount of data about internet users, from their web searches, to the IP addresses they use, to their Gmail and Picasa information, and even in some cases their DNS queries (which can be used to track browsing behavior). The fact that Android ships with this feature enabled at all is incredibly worrisome. Sure, it's handy to have your data preserved in case something happens to your phone, but it's one thing to back up your contacts (which in and of itself produces privacy concerns) but to back up access credentials is completely unprecedented.