Did you know Google is collecting Wi-Fi passwords saved on Android smartphones and tablets? You can thank the baked-in backup feature in Android for this, as the platform sends personal data into the cloud so that when users purchase a new Android device or need to restore one to factory defaults, all settings can be restored after signing into a Google account, even Wi-Fi passwords.
Say, for instance, you have the first-generation Nexus 7 tablet. Before Android 4.3 "Jelly Bean", it was a necessity to restore the tablet back to factory defaults in order to clean out the unused data (garbage) piled on the internal storage. Once the tablet was cleaned and signed back into the Google account, it re-downloaded all apps and settings previously installed on the device. Initially you can't even tell that the tablet restored all Wi-Fi settings because you've already enabled primary access prior to re-installing Android.
"A wide variety of your personal data is backed up, including your Wi-Fi passwords, Browser bookmarks, a list of the applications you’ve installed, the words you’ve added to the dictionary used by the onscreen keyboard, and most of the settings that you configure with the Settings application," states the Users Guide on page 374."Some third-party applications may also take advantage of this feature, so you can restore your data if you reinstall an application."
The backup storage option has been around since Android 2.2 "Froyo", and is enabled by default. In Android 4.1.2 this option is listed under Settings/Privacy and clearly reads "back up app data, Wi-Fi passwords and other settings to Google servers". In Android 4.3, this option can be found under Settings/Backup & Reset. This feature is definitely super convenient for users who switch Android devices often (cough), but it's also a little scary given that Google does not encrypt consumer-based stored data on the server side, only when it's transmitted.
Apparently the big recent stink surrounding the Android backup feature is that Google can actually read those Wi-Fi passwords because they're stored in plaintext. That doesn't mean Google employees are digging through the database reading the passwords of millions of Android customers. That means government agencies requesting user data will have no problem taking that easily readable information and logging into your local network.
"Since backup and restore is such a useful feature, and since it's turned on by default, it's likely that the vast majority of Android users are syncing this data with their Google accounts," said Micah Lee, a staff technologist at the Electronic Frontier Foundation. "Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected Wi-Fi networks in the world."
Paul Ducklin of security firm Sophos points out that the list of Wi-Fi networks on an Android device is likely larger than the single access point in the user's home (I have four just in my house). Thus each Android device backing data up into the cloud is essentially helping Google add to the already extensive maps of Wi-Fi access points built up over the years. The solution, then, is to encrypt everything on the device before backing up into the cloud.
"The problem with that is it's not quite as convenient, not least because there's no password-free way to recover that backed-up data, for example if you forget your password. That's the dilemma we all face," he writes. "Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn't save the recovery key)? Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people's, personal information?"
Good question. Sometimes I think it would be better to just go back to rotary phones and using books to access information. Regardless, if you don't want Google storing your personal information, then turn off Android's backup feature.