Quick answers for the impatient readers:
- “It’s easy”
Below are my comments to some reactions I have seen regarding this "Nokiagate".
1) You are stupid! Don’t you know there is a new service called “Nokia Messaging”? It has to be able to retrieve your messages from the server!
Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn’t clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia’s messaging proxy.
Messaging proxy is a piece of software that you can use if you wish, there’s nothing wrong about that. If you want to use that, then you understand and accept that your credentials must be available to proxy - otherwise things will not work. When you signup for such a service, that is made clear to the user and he accepts it. However, this wasn’t the case in my email issue.
After email wizard has finished with the email configuration, all network connections are done from my terminal directly to the IMAP/POP email server, not to any messaging proxy. When I use email, data traffic doesn’t go via Nokia. There is no reason why my credentials should be sent anywhere else than to my email server.
2) Is the data encrypted?
Yes, the data is encrypted. Read next sentence aloud using ironic voice: “When I configure private email account into my phone, my email credentials are sent to Nokia in a secure way.”
3) Can’t believe this! Can I verify this myself?
It’s easy. First of all, you need some solution to intercept all network traffic originating from your terminal. For this purpose I used WebScarab and Wireshark. WebScarab is a tool that creates an HTTP proxy which will allow you to control both HTTP requests and responses. Install, configure and run it in your desktop. Check your desktop’s IP address and port that WebScarab is listening.
Because sniffing cellular network is beyond my skills, I used WiFi as a data bearer (email wizard will silently use cellular network if that is available). To enforce WiFi connection, put your terminal into offline mode and/or remove SIM card. Then configure a WiFi access point that will use your WebScarab desktop as a proxy (you need the IP address and port here).
When you think you are done, launch browser in phone and try to open some site. If you see the request in WebScarab, the configuration is correct. If not....well, I’dont provide support for this setup.
After configuration is working, run email wizard and see what happens.
Request to readers
I don’t have any idea which terminals have this email wizard - and if it exists does it work the same way when configuring an email account. If you find terminals behaving this way (sending passwords), please send terminal information to this post’s comments. Include terminal type and software version (you can see that by going to telephony screen and typing *#0000#).
These are the devices and software versions I've tested and verified password leak: