Dan Wallach, a computer science professor at Rice University recently discovered some very disturbing vulnerabilities while accessing Google and Facebook from a Smartphone running the Android operating system.

In an undergraduate class experiment, Wireshark network sniffer was deployed, and Wallach then conducted a series of internet transmissions from his Smartphone.

The first finding was that Facebook https doesn’t always work, even when it is selected by the user. The Android application encrypted the login credentials, but failed to encrypt any other Facebook traffic. The Facebook https activation screen clearly states:

Browse Facebook on a secure connection (https) whenever possible

Users should not be lulled into a false sense of security thinking that all Facebook transmissions are encrypted by selecting this option. If a third party application or device manufacturer fails to support https connections, your data transmissions are not secure.

Ironically, Google failed to encrypt data to the Google Calendar service. This should be a little harder to swallow since Google, of course, is the owner and creator of the Android operating system. The failure to encrypt Calendar data could have immense privacy and safety concerns should the information fall into the wrong hands. Data transmissions to other Google services were encrypted.

Security experts are adamant in their call for both Google and Facebook to require mandatory https connections. By design their platforms could reject any connection attempts from non-secured protocols. Implementing such a strict code could diminish the “user experience” or create a backlash from third party developers.

Although it’s not perfect it is still a good idea to secure your Facebook sessions. If you haven’t taken the time to secure your Facebook account with https settings, check out our guide on the topic:

Secure your Facebook account with HTTPS in three steps

If you would like to read Wallach’s blog for a detailed account of his classroom experiment, click here.