Two posts in a day? Post number two mere hours after this one?
Well, I posted about the fast Internet and then realised I failed to mention a critical other topic - is it secure?
Turns out no - no it's not secure. And this isn't necessarily the nightmare you may imagine however Android and iOS' default behaviors make this far worse. Let me explain.
Scenario one - unencrypted wifi
As the name implies, we're talking about a wifi network that doesn't enforce a password (ideally WPA2 or better) to connect. This means anyone within physical range can "listen" to your network traffic, see what sites you're connecting to, even capture the content of that communication. While this may sound scary it's a similar risk to what you're exposed to just by connecting to the Internet. The owner of an encrypted wifi connection could still capture and listen to your traffic, even the internet itself is not free of eavesdropping and surveillance. You need to assume no privacy as the default - assume your communication over the Internet is being subjected to eavesdropping always.
This is why practically all modern internet traffic is encrypted in transit. The vast majority of what you do will be over HTTPS and very little traffic should take place over clear text protocols. Modern web browsers will even warn if a site you're using isn't offering HTTPS connectivity. In short, you are subject to similar security over an unencrypted wifi network as you are over the internet. Yes there are still edge cases where a malicious actor connects to the same wifi network as you and targets your device itself - but this an edge case.
Scenario two - shitty defaults
This is where the rubber hits the road. Shitty defaults. Specifically remembering the insecure network to connect to it later. While I'm on holiday I have a Windows laptop with me (not my linux one this time) an iPhone and an Android.
Interesting Windows offers the best defaults by offering you to connect to an insecure network by making you specifically tick the check box "Connect automatically" if you want your laptop to re-connect when you're in range of the insecure network.
Both Android and iOS take the complete wrong approach. Both defaulting to reconnect to the insecure network. "Auto-connect" in Android language and "Auto-Join" in iOS language. To make matters worse this is a default that requires jumping into the wifi network's settings to disable.
So why does this matter? It matters because now your phone is broadcasting and searching for this insecure network. Any time it sees the network it will automatically connect.
This can happen anywhere. You could connect to your holiday wifi next time you're on holiday 👍, or next time you're at your favourite coffee shop🤔.
This is because devices like the wifi pineapple are designed to listen to what wifi networks a device is seeking and offer it to them. Once you're connected to a network controlled by a malicious actor: traffic can be intercepted, modified, or redirected. DNS can be poisoned so otherwise secure seeming services aren't. Or maybe enough "insecure" warning pop ups will just annoy you enough to finally click "accept" and move on. This isn't as far fetched as it sounds.
Any solutions?
Google and Apple need to do better with this. Auto connecting shouldn't be the default. At the very least an auto connect should expire after a period of inactivity when the network is unencrypted. Perhaps after 48 hours with no use?
For now, you need to remember if you've used an unencrypted wifi network and manually remove it once you're done. Get into the habit of remembering to check your devices' remembered networks. It's a pain but worth the safety benefits.