{"id":5562,"date":"2014-07-30T10:00:15","date_gmt":"2014-07-30T14:00:15","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=5562"},"modified":"2020-02-26T10:54:12","modified_gmt":"2020-02-26T15:54:12","slug":"instagram_mobile_lacks_encryption","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/instagram_mobile_lacks_encryption\/5562\/","title":{"rendered":"Instagram Mobile App Only Partially Encrypted by Facebook"},"content":{"rendered":"<p><a href=\"https:\/\/www.kaspersky.com\/blog\/?s=Facebook&amp;submit=Search\" target=\"_blank\" rel=\"noopener nofollow\">Facebook<\/a>\u00a0is not encrypting certain traffic flowing into and out of the mobile variety of its photo-sharing service,\u00a0Instagram. While the company says it plans to implement full encryption there in the future, it has not yet committed to a date by which that transition will be complete.<\/p>\n<p>In other words, when you\u2019re using the Instagram application on your mobile device, an attacker on the same network could potentially monitor the pictures you are viewing,\u00a0surveil\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/cracking-cookies\/\" target=\"_blank\" rel=\"noopener nofollow\">session cookies<\/a>, and determine your username and ID.<\/p>\n<div class=\"pullquote\">At the moment Facebook accepts the risk of parts of Instagram communicating over HTTP and not HTTPS<\/div>\n<p>Mazin\u00a0Ahmed, an information security specialist at Defensive-Sec, wrote about Instagram\u2019s less than total deployment of encryption on\u00a0<a href=\"http:\/\/mazinahmed1.blogspot.com\/2014\/07\/session-hijacking-in-instagram-mobile.html\" target=\"_blank\" rel=\"noopener nofollow\">his personal blog<\/a>\u00a0on Saturday. He tested the Android version of the Instagram application using a packet sniffing tool called\u00a0WireShark.<\/p>\n<p>WireShark\u00a0essentially has the capacity to watch packet traffic on the network to which it has access, whether you\u2019re plugging it into your home network or someone is watching data move on a public network somewhere. If the\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/gpg-strong-encryption-and-digital-signing-made-easy\/\" target=\"_blank\" rel=\"noopener nofollow\">data is encrypted<\/a>, then\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/the-wonders-of-hashing\/\" target=\"_blank\" rel=\"noopener nofollow\">the packets will be impossible to read<\/a>. If the data is not encrypted, then the data will appear to the\u00a0WireShark\u00a0user in plain, readable text.<\/p>\n<p>In Ahmed\u2019s case, he noticed that Instagram was only encrypting some of the traffic on its mobile application.<\/p>\n<p>In an email interview with the Kaspersky Daily, Ahmed noted that he tested this on the Android Instagram application. However, he says he believes that the attack would work for the iOS app as well because both rely on the same server which does not appear to uniformly enforce SSL.<\/p>\n<p>Ahmed\u00a0writes\u00a0in his post that he reached out to Facebook, who \u2013 he claims \u2013 acknowledged the incomplete nature of Instagram\u2019s mobile encryption, saying the following:<\/p>\n<p><em>\u201cFacebook has discussed this issue at length and plans on moving everything on the\u00a0Instagram\u00a0site to\u00a0HTTPS. However there is no definite date for the change. At the moment Facebook accepts the risk of parts of\u00a0Instagram\u00a0communicating over HTTP and not\u00a0HTTPS. We consider this a known issue and are working toward a solution in the future.\u201d<\/em><\/p>\n<p>The Kaspersky Daily reached out to Facebook to confirm, but they did not immediately reply to our requests for comment.<\/p>\n<p>If you are worried about having your\u00a0Instagram\u00a0traffic spied upon, the best bet, Ahmed says, is just to refrain from using the service\u2019s mobile app until Facebook gets serious about encrypting it. He recommends that users stick to the Web version of\u00a0Instagram, which supports\u00a0HTTPS\u00a0more completely.<\/p><blockquote class=\"twitter-pullquote\"><p>Facebook fails to fully encrypt data on its\u00a0Instagram mobile app, which puts user\u00a0security and\u00a0privacy at risk.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FmYM4&amp;text=Facebook+fails+to+fully+encrypt+data+on+its%C2%A0Instagram+mobile+app%2C+which+puts+user%C2%A0security+and%C2%A0privacy+at+risk.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Facebook fails to fully encrypt data on its Instagram mobile app, which puts user security and privacy at risk.<\/p>\n","protected":false},"author":42,"featured_media":5563,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[261,20,765,218,211],"class_list":{"0":"post-5562","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-encryption","9":"tag-facebook","10":"tag-instagram","11":"tag-mobile-security","12":"tag-social-media"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/instagram_mobile_lacks_encryption\/5562\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/instagram_mobile_lacks_encryption\/3825\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/instagram_mobile_lacks_encryption\/3724\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/instagram_mobile_lacks_encryption\/4214\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/instagram_mobile_lacks_encryption\/4469\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/instagram_mobile_lacks_encryption\/4780\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/instagram_mobile_lacks_encryption\/4389\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/instagram_mobile_lacks_encryption\/4780\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/instagram_mobile_lacks_encryption\/5562\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/instagram_mobile_lacks_encryption\/5562\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/encryption\/","name":"encryption"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5562"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5562\/revisions"}],"predecessor-version":[{"id":33267,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5562\/revisions\/33267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5563"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}