How secure is your e-mail password?

There has been a lot of reports in the news during the last few months about politicians allegedly using non-secure/non-governmental e-mail servers, including concerns about hackers obtaining sensitive information.  In some cases, a hacker’s ability to change e-mail security settings is easy to do, and can be accomplished in just a few seconds.

AT&T’s Video Optimizer examines the packets sent between your mobile phone and the network. One of the tool’s cool new features is the ability to look for text strings that are sent in clear text.  In the following example, I turned off SSL to my e-mail account:

I then tested my phone with Video Optimizer, and collected a trace of e-mail arriving on my phone.

In Video Optimizer, under Tools-> Private Data Tracking, I added two fields:

The trace is re-analyzed and it looks for these strings, which are found!

As you can see, my e-mail address and password are being sent in clear text.  Here is the actual data being sent:

I can replicate this on old Android devices like the Samsung S3, but also on new models such as the Samsung S7 running Android 7.0 Nougat:

If you want to be more careful with your e-mail on your mobile device, make sure you have turned on SSL. And you should never give your phone to others because turning SSL off is easy to do.