Micah Lee, staff technologist for EFF and CTO of the Freedom of the Press Foundation, has discovered that Android's "Back up my data" feature is as potentially dangerous as it is convenient, as it sends a lot of private information (including passwords) in plaintext to Google.
"Since backup and restore is such a useful feature, and since it's turned on by default, it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected wifi networks in the world," he pointed out in Android’s bug tracker.
Add to this the fact that Google' own Street View cars have been known to collect Wi-Fi data, it's easy to see that all this information can be combined and can be used to track a user's movement over time.
"If an NSA analyst, or likely someone from CIA or even FBI, asks Google for information about you, your house’s and office’s wifi passwords are likely included in that data. Without a warrant," he expounded further in a blog post, and added that any attacker that has that information can do a lot of harm.
"With your home wifi password, an attacker can sniff wifi traffic outside your house (without connecting to your network) and then decrypt it all, passively eavesdropping on your private network. If the attacker wants to do more active attacks, they can connect to your wifi network and mount a man-in-the-middle attack to eavesdrop on and modify any unencrypted Internet traffic. If you download a file, they can serve you a malicious version instead," he says.
"An attacker can scan for computers, phones, and tablets that are connected to your network, scan for open ports, and exploit vulnerable services. If you have a computer connected to your network that you haven’t done software updates on for a couple weeks, or that you’ve never configured a firewall on, or that you’ve installed random servers on and have never touched them since, there’s a good chance the attacker could take over those computers."
He doesn't explicitly say that the NSA or any other agency would do any of these things, but he is clearly uncomfortable with the possibility of them having access to this information.
And as Google is currently unable to legally refuse any such request from them, Lee considers making it impossible for Google to do so to be the best option and urges the company to make it possible for users to encrypt synced passwords with their Google credentials or to encrypt all synced data with their own sync passphrase.