Instagram Mobile App Only Partially Encrypted by Facebook

Facebook fails to fully encrypt data on its Instagram mobile app, which puts user security and privacy at risk.

Facebook is not encrypting certain traffic flowing into and out of the mobile variety of its photo-sharing service, Instagram. While the company says it plans to implement full encryption there in the future, it has not yet committed to a date by which that transition will be complete.

In other words, when you’re using the Instagram application on your mobile device, an attacker on the same network could potentially monitor the pictures you are viewing, surveil session cookies, and determine your username and ID.

At the moment Facebook accepts the risk of parts of Instagram communicating over HTTP and not HTTPS

Mazin Ahmed, an information security specialist at Defensive-Sec, wrote about Instagram’s less than total deployment of encryption on his personal blog on Saturday. He tested the Android version of the Instagram application using a packet sniffing tool called WireShark.

WireShark essentially has the capacity to watch packet traffic on the network to which it has access, whether you’re plugging it into your home network or someone is watching data move on a public network somewhere. If the data is encrypted, then the packets will be impossible to read. If the data is not encrypted, then the data will appear to the WireShark user in plain, readable text.

In Ahmed’s case, he noticed that Instagram was only encrypting some of the traffic on its mobile application.

In an email interview with the Kaspersky Daily, Ahmed noted that he tested this on the Android Instagram application. However, he says he believes that the attack would work for the iOS app as well because both rely on the same server which does not appear to uniformly enforce SSL.

Ahmed writes in his post that he reached out to Facebook, who – he claims – acknowledged the incomplete nature of Instagram’s mobile encryption, saying the following:

“Facebook has discussed this issue at length and plans on moving everything on the Instagram site to HTTPS. However there is no definite date for the change. At the moment Facebook accepts the risk of parts of Instagram communicating over HTTP and not HTTPS. We consider this a known issue and are working toward a solution in the future.”

The Kaspersky Daily reached out to Facebook to confirm, but they did not immediately reply to our requests for comment.

If you are worried about having your Instagram traffic spied upon, the best bet, Ahmed says, is just to refrain from using the service’s mobile app until Facebook gets serious about encrypting it. He recommends that users stick to the Web version of Instagram, which supports HTTPS more completely.