Last fall, researchers at the University of New Haven’s Cyber Forensics Research and Education Group dropped the hammer on a number of Android apps, including those from some popular social networking and dating sites, for their insistence on sending data in the clear.
Pretty quickly, the UNHcFREG was inundated with calls and requests to use its technology to test other business and consumer apps. The result was released this week with the public availability of Datapp, a Windows 7 program that acts as a Wi-Fi hotspot for a mobile device, monitors HTTP traffic, and returns information on which mobile data sent from a device is leaving unencrypted.
“Our goal was to create a system where a layman could click a button and see whether the images they’re sending are encrypted,” said Dr. Ibrahim Baggili, an assistant professor of computer science at the Tagliatela College of Engineering, and a forensics and security expert. Baggili supervised the project, which included lead developer Roberto Mejia and developer Kyle Anthony.
The free app, once installed on a Windows machine, turns the PC or laptop into a hotspot. The user can then connect their mobile device to that hotspot and the app watches traffic and shows the user what’s going on with their traffic in a dashboard.
It will list apps that are sending in HTTP or HTTPS, reconstruct unencrypted images from TCP/IP packets, and show on a map any servers worldwide where the data is connecting.
“It works with any HTTP traffic that is unencrypted,” Baggili said. “That’s the idea—to be able to test any app, and if it’s secure, it won’t show up on Datapp.”
Baggili said there could be consumer and business applications for Datapp, adding for example that one of the bigger eye-openers was that Facebook Messenger sends unencrypted data.
“This is not rocket science; we’re just testing if the apps are encrypted or not,” Baggili said. “That’s what we’re going after. This is like creating a man-in-the-middle with the push of a button, but it’s created for user awareness, not to steal data.”
After last September’s disclosure around the vulnerable Android apps, companies started patching and ensuring their data was encrypted in transit.
“We feel that if we give the user more power, companies will respond more vigorously,” he said.
Datapp is available for download, and there is a feedback link if there are any issues, Baggili said. For now, the app is exclusively for Windows, but Baggili said future versions could support more platforms, more protocols beyond HTTP, and target additional data such as voice and video traffic.
“[Early testers] have really liked it. We tried it at a couple of events where we had people connect and try out their apps,” Baggili said. “It’s eye opening in many ways when people actually see it. People are at a different layer of abstraction. If an app works, that’s cool and all most people care about. But once they see their data all over the place with their own two eyes, it’s a different experience.”