The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!

I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.

www.atenlabs.com/zipline

Right now its pretty much just a VPN. My goals are pretty straight forward

• Obtain subscribers, and offer excellent service
• Grow the product, then upgrade the hardware and bandwidth
• Value-Adds, like in-line antivirus, antispam, malware etc – make the product SAFER
• Bolt on business-class solutions like traffic shaping, packet prioritization and SLA guarantees.

My inital product pricing will be something like this:

• $15/mo or $150 a year for the base package (You save 2 months worth by buying a year in advance)
• $25/mo or $250 a year for higher packet priority
• Business class services – still working this one out.

I’m totally open to collaboration. I built this for myself, and my friends – so that we could feel secure using sites, and applications that were built insecurely on public wireless networks without fear of someone capturing our credentials, or snooping in on our traffic (e.g. airpwn, ettercap, goatseAP and the others)

Ideas? Comments? Hatemail? Drop me a note!