What you might want to know about InstaFetch

InstaFetch is, for all intents and purposes, an Android app for connecting to your Instapaper data. If you don’t have an Instapaper account, you won’t care about the rest of this article. If you do have one, and use InstaFetch in any form, you may want to read up on what I found out with some packet sniffing of my own account.

I’d like to point out up front here that Marek Stój (the InstaFetch author) has been completely forthcoming when emailed for details. This isn’t so much a bashing of InstaFetch as it is a lesson in care needed when installing and using so-called “native apps”.

There are 2 take-aways from this article is: remember to use unique passwords for all sites (duh) and pressure developers of paid apps to make use of secure connections

Is it a big deal if someone gets my Instapaper password? Not really, but yes. It shouldn’t be possible, regardless of the sensitivity level (the data in my Instapaper account). Looking through what is possible as a logged in Instapaper user, I’m not crazy about the idea of someone having my password.

Since I don’t have easy access to a wireless sniffer setup to watch the traffic from my phone, I installed the Android SDK, sideloaded InstafetchPro.apk (I’m a paying subscriber to InstaFetch), and fired up Wireshark to snatch the packets off my home wired network for examination.

Discoveries:

  1. InstaFetch does not communicate with Instapaper via TLS (https), yet Instapaper offers it. Your Instapaper account name and password are sent unencrypted from your device to the Instapaper server farm by InstaFetch. There is no option in InstaFetch to enable https to Instapaper.com that I can find.
  2. If you email text to your unique Instapaper email address for later reading, that data is stored on Instapaper’s servers and only accessible via an authenticated Instapaper account (of course). Since InstaFetch offers its own transcoding services (it’s not just an Instapaper client), it will send your Instapaper username and password (with other details) over bare http as a base64-encoded (not secure) string value to the variable ctx. The following data may be encoded in ctx: instapaper username, instapaper password (sent ONLY for articles hosted on Instapaper.com; this is needed so that the InstaFetch server can fetch the article and transcode it), flag saying whether it’s a pro app, platform id (Android/Windows Phone 7), app version.

One of the bare http requests to the InstaFetch server is shown below where you can see the base64 encoding of ctx:

GET /nreadability/transcode?
url=http%3A%2F%2Fnymag.com%2Fprint%2F%3F%2Fnews%2Ffeatures%2Fcollege-education-2011-5%2F&
rst=newspaper&rmg=xnarrow&
rsi=small&
ctx=Jmluc3RhcGFwZXJVc2VyTmFtZT1qYmxhaW5lQGtpY2tmbG9wLm5ldCZwbGF0Zm9ybT1BbmRyb2lkJnZlcn

Decoding the value of ctx via a simple web-based base64 decoder form gets us the following, where you can see this raw information. Luckily for me, I don’t make use of the Instapaper email drop box and my password is not included in the information: