With more and more people adopting tablet and smartphone devices running the Apple iOS and Google Android operating systems, I thought it timely to remember an important security issue if you choose to run the Google Chrome web browser on your device.
I must admit, I had completely forgotten about this issue until yesterday when testing on my iPad, an early prototype for a web application I’m currently building for myself. This web application displays to the user – (well, me in this instance) – the IP address and corresponding hostname from which they are logging into the application.
I noticed the following statement of those details (outlined in red, click for a larger view):
Why is it coming up that I am logging in from a Google IP address/hostname? I was testing this during my lunch break at the office, so this wasn’t what I was expecting.
After a few seconds of puzzling, I remembered why this was so.
Google Chrome on iOS and Android has a “Reduce Data Usage” option, which seeks to compress data coming across the internet into your device, thereby reducing the overall amount of data you download.
Possibly a good thing – but the fact that a Google IP address comes up when browsing to my web application reminds me that all traffic using this feature in Google Chrome for iOS or Android is routed through a Google server before it comes back to my device.
Be conscious of what that means – Google can not only see where you are browsing, but what the content of the sites you are browsing actually is. If you are browsing a corporate website that is normally password protected – (and therefore is normally unable to be indexed by Google) – it is now passing through their servers, thanks to the password you entered to access the page.
Fortunately, if the page you are browsing to is SSL encrypted – (or is inside an ‘incognito’ tab) – it does not pass through the Google proxy servers. The SSL would not work if such pages tried to use this connection method.
Hopefully, if your systems administrators are on the ball, even sites that are only accessible inside your corporate network are SSL encrpyted as a matter of course. Certainly, all of my live web applications are SSL encrypted, which is why I don’t usually see this behaviour, and why it had slipped my mind a little bit yesterday.
I’ve been working on this application without SSL, because I don’t have a spare IP address at the moment to do SSL on this app – something that I will able to fix when the application this new one is replacing is switched off – I’ll re-use that IP address.
You will notice straight away when I switched the “Reduce Data Usage” option off, it was clear that the traffic was no longer being routed via Google, as the address I was logged in from was now as expected, with an IP address/hostname that comes from the corporate network in the office:
So, if you are nervous about what Google might be seeing or not seeing when you are using Google Chrome on iOS or Android, consider turning this feature off in “Settings”, as shown:
Of course, I don’t know for certain if Google are capturing the traffic for other purposes as it passes through their proxy servers, but with my ‘security hat’ on, I do see this behaviour as – (at the very least) – an issue to be aware of.
Looking for the best IT security functionality possible is basically second nature to me – it’s part of what I do every day – so if something like this can slip my mind even just a little bit, it can easily slip yours a lot.
If you even knew about it in the first place.
As this option is switched on by default, I’m betting you didn’t even know about it – so have a think, and have a look.
Safety first.