A security question about droids, Kindles and any other such device.

[Rayne Bluestone]

I recently was gifted a kindle fire  for Christmas,  and found that it had a browser on it that in theory I could use to go to various sites like this one.  My concern though is what information off say a smart phone, kind;e, nook or what device have you that site administrators can see.  Do they see the phone numbers, the account information, the registration information, or just the ip address and the mac address?  Also not sure if this question goes here in help or somewhere else.

[Vekseid]

I recently was gifted a kindle fire  for Christmas,  and found that it had a browser on it that in theory I could use to go to various sites like this one.  My concern though is what information off say a smart phone, kind;e, nook or what device have you that site administrators can see.  Do they see the phone numbers, the account information, the registration information, or just the ip address and the mac address?  Also not sure if this question goes here in help or somewhere else.

Your phone number, account/registration information, and mac address are never seen, though the mac address might be visible in some cases with IPv6.

A mobile request looks like this:

Code Select Expand


1.1.1.1 - - [31/Dec/2011:16:34:14 -0600] "GET /forums/index.php?action=post;topic=1.0;last_msg=1 HTTP/1.1" 200 10000 "https://elliquiy.com/forums/index.php?topic=1.0" "Mozilla/5.0 (Linux; U; Android Eclair; en-us Build/pandigitalopc1/sourceidDL00000009) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17"


IP addresses and thread ids redacted.

The first number is the IP address. This tells not just your IP, but companies like Amazon, etc. sell such data, so it's possible to get a good idea of your location, down to the city. Of course, for mobile phones, you're usually accessing through the carrier's proxies, so this doesn't apply. This goes for most mobile devices, though if you're accessing over wifi it will use your wifi data.

The next is the server's date and time of access, in the server's timezone.

The next, between the quotes there is the command the browser sent to request the page. The first word is the type of request (GET or POST, POST being when you post data to the server, like making a post) and the URL accessed. The HTTP/1.1 at the end there is the version of HTTP used... almost all humans use something that fetches in HTTP 1.1.

The number immediately after that is the response code. 200 is a success. You probably recognize others, namely '404' >_>

The next number is the size of the response in bytes (I also altered it).

The next value, between quotes is the referrer, where it was linked from.

The final value is the User Agent. Desktop UAs are more descriptive, but this tells me

1) That the user is running Android Eclair
2) That the user's machine is a Pandigital of some variety. The User Agent usually gives enough information about mobile browsers to identify the make and model.
3) And that it's a couple/few years old.

Your browser also sends a couple of other headers. HTTP_ACCEPT_LANGUAGE tells the server what language you prefer. Most of the rest are either obvious (HTTP_HOST - tells the server what site you want to see) or simply present capabilities (HTTP_ACCEPT_ENCODING - if you can accept compressed content)

If you don't have Javascript or any form of scripting enabled, that's it. It used to be possible to grab people's browsing history with css, but this was slow, tedious, and has been addressed in most modern browsers.



That changes if you do, and it can get creepy, fast.

Javascript on its own can expose
- Your screen's resolution and color depth
- Your system's time zone
- Your system's time
- Many of your installed extensions, toolbars, and their versions... between this and the user agent it's sometimes possible to see if a visitor has spyware installed. FunWebProducts is a particularly notorious offender. In theory this can uniquely identify you even if you delete all of your cookies. In practice, it's rather less common. You can see a full list of extensions that can be seen by going to the EFF's Panopticlick site. It's a good idea to prune stuff you no longer want or need, but make sure, first.

Flash is a clusterfuck and ever since Version 9 when it allowed a remote operator to turn on webcams and microphones without the owner's permission, Macs being especially vulnerable. I would always recommend making sure that Flash can never run without your explicit permission. For some, this isn't optional (iPhones and iPads) and they can't even run it if they want it. For everyone else, I recommend doing something:
Firefox: Flashblock
Chrome: enable Click to Play.
Opera: Similar to Chrome, go to Opera menu > Settings > Preferences > Advanced > Content > Enable plug-ins only on demand.
Safari: use ClicktoPlugin.
Internet Explorer: Tools -> Manage Add-Ons, click on "Shockwave Flash Object", click on "More information", then click the "Remove all sites" button. This isn't quite as convenient, as you're forced to whitelist entire sites at a time, but it's better than nothing. It's a good idea to do this for all of your addons that you don't disable or uninstall outright.

Java is a particularly notorious offender as it makes its own, independent connection to the Internet. This means that it will bypass simple proxies, and has its own history of security vulnerabilities, though it's not quite as plagued as flash is. The same goes for Adobe's PDF reader. Every extension is another way in and another potential way to learn something about you if a website owner (or hijacker) is feeling evil.

In general, though, the only thing that gets transmitted free, clear, and without flaw is your general location, and a proxy will not necessarily help you versus a smart webmaster. Everything else falls under
1) Stuff that's easily made to lie
2) Security problems
3) Stuff you don't care if the webmaster knows, or probably even want them to know - e.g. your screen's size.

[Rayne Bluestone]

Thank you greatly Vekseid, the only thing I was really worried about whether account information or phone numbers was visible.  That wariness has made me very wary of using web at all on either one since I was unsure.