I have an iPhone 3G and I use it over wifi at home and 3G everywhere else. I was playing around with my iPhone, installing several apps, and some require login & passwords. I'm pretty good about requiring SSL to log into websites, or using a disposable password when I can't use SSL. It got me wondering how Facebook Apps communicate. I heard a rumor that they communicate with the apple server, but had no idea if it was true.
To see what's going on, I had to do a packet capture. I have high speed internet with a cable modem, and a Linksys router running DD-WRT. DD-WRT lets you run applications on it using ipkg-opt. I installed tcpdump and used a 2GB MMC card to store the data. I ran tcpdump to capture all of the packets to and from my iPhone and downloaded them from the router to my computer.
I fired up Wireshark to see what was going on. I found that the iPhone communicates directly with a Facebook server and doesn't go through AT&T. It makes requests over port 80 and the data is returned as XML data. This was all in clear text, including the full names of my friends on Facebook.
When most users log into Facebook, they log into http://www.facebook.com. When they type in their email and password, the form submits to an HTTPS, you get a session key and it puts you back on HTTP. I wanted to find out how the Facebook App logs in.
I logged out of my account on the Facebook app and started a packet capture. I logged in and opened the file in Wireshark. Sure enough, the login goes over SSL, just like the web page and forwards you back to unencrypted HTTP.
In the case of the Facebook iPhone app, your login credentials are submitted over SSL, but the rest of your data is in the clear. Remember this the next time you open up the Facebook app in an internet cafe! At the moment, the Facebook App will not let you get all data over HTTPS