Sep 072012

So recently, I got a nice new phone, a Samsung Galaxy S II.

When I set it up, I realized that Samsung chose to replace the built-in Google e-mail application with their own. This was a bit of a disappointment as the Samsung version seemed a tad less flexible and less configurable than the (also pedestrian) Google program, so I opted for the open-source K-9 Mail instead, which works very well indeed.

Today, I noticed that all of a sudden, my server is showing IMAP logins using my user ID from a strange IP address, occurring like clockwork, every five minutes. The IP address belongs to Samsung in Germany, Frankfurt to be precise. This was odd because my phone was actually connected to my home Wi-Fi, so there was no reason for it to go through a distant proxy server. Suspecting that something was afoul, I turned the phone off. The IMAP logins from the German IP address continued.

At this point, I immediately changed all relevant passwords. The login attempts (no longer successful) continued for a while, then stopped.

But what was this? A bit of research showed that the IP addresses are characteristic of Samsung’s “Social Hub” program. Apparently when I entered my login credentials using the Samsung version of the basic e-mail app, it passed on that information to Samsung’s Social Hub servers. So without my knowledge and my approval, my password to my personal account on my Linux server was sent to, and stored on, a server in a foreign country. (And no, I don’t want to hear that I actually gave my approval by clicking the Accept button on a 50-paragraph unreadable user agreement when I started using my phone. This kind of potential security breach must require up-front notification of the user and explicit approval.)

I have since kind of confirmed it by noting that Social Hub indeed shows my e-mail account as being registered, even though I deleted my login credentials days ago from the Samsung e-mail app proper. Worse yet, it seems impossible to delete this account from Social Hub; when I try, I just get a “Loading…” screen that stays on forever.

I still like this phone, but my opinion of Samsung just sank several notches all at once. A high technology company should be much more conscious of its users’ security needs and much more proactive in protecting them. Indeed it leaves me wondering if, perhaps, it might have been possible for a smart hacker to use social engineering and trick Samsung into revealing this information… which Samsung should never have obtained without my explicit permission in the first place.

 Posted by at 9:37 pm