Seriously, Google? Android security flaw affects 99.7% of phones

May 17, 2011 1:10 PM
Devindra Hardawar
Add a Comment
MobileBeat 2013
July 9-10, 2013
San Francisco, CA
Early Bird Tickets on Sale

It’s almost like we can’t go a week without a major mobile security flaw making headlines. German researchers have discovered that pretty much all Android phones (99.7 percent) have a major authentication flaw that could allow hackers to steal your digital credentials over open wireless networks.

They could then use those credentials to access your Google Calendar, Contacts and potentially other apps. Altogether now: Gulp.

It’s a particularly embarrassing security hole for Google, since it appears to be fairly easy to spot. The issue resides in Google’s ClientLogin authentication protocol for apps in Android 2.3.3 and earlier. Normally, apps use the protocol to request an authentication token (authToken), which contains your Google account credentials, and it can be reused for two weeks. But the researchers discovered that authTokens can also be easily sniffed by hackers when sent over unencrypted HTTP connects and open wireless networks.

According to the researchers — Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm in Germany — the authToken isn’t bound to any particular user session or device, which means hackers can use the sniffed authToken to change your Google contacts, calendar events and gain access to any other apps relying on ClientLogin.

The good news is that most of the issues appear to be fixed in Android 2.3.4 and beyond. There still seem to be potential issues syncing with Picasa, but Google is apparently working on a fix. The bad news is that most Android owners are still running older, vulnerable versions of the software, and Android manufacturers and carriers still haven’t perfected the art of delivering updates to consumers in a timely manner.

The security flaw is also reminiscent of the hubbub surrounding the Firefox extension Firesheep, which lets you easily track unsecured website logins from open Wi-Fi networks.

For now, the researchers say you can protect yourself by staying off of unprotected Wi-Fi networks, or if you have to connect to one, switch off automatic synchronization in your Android settings. It will also help to have your Android phone forget the wireless networks it connects to, which will prevent hackers from spoofing familiar Wi-Fi hotspot names (a process known as an evil twin attack).

The researchers also suggest that developers switch all of their apps to the more secure HTTPS protocol for ClientLogin authentication, and that Google severely limit the lifetime of an authToken.

Via The Register

  • http://twitter.com/gorash aaaaaaaaa

    What a sensationalistic title…

  • http://27183.myopenid.com/ Your Name

    Very interesting and I am glad I am running 2.3.4 on my Nexus One.I just wanted to give you a suggestion on how to better improve your website.  GET RID OF THE SCROLLING TWITTER CRAP ON THE RIGHT.  Want twitter, great. BUT STOP THE SCROLLING.Do you want your readers to actually read what you have to say? STOP THE SCROLLING DISTRACTIONS.  It's kind of embarrassing to find site after site that are created by such brain damaged people.

  • http://www.devindra.org Devindra Hardawar

    Sorry that an accurate title that you may disagree with offends you so much.

  • http://www.devindra.org Devindra Hardawar

    I assure you our brains are only partially damaged.

  • totenglocke

    What a horribly biased title.  Are you really shocked that sending data on an unsecured WiFi network leaves you open to hackers?  That's network security 101.  If you're surprised and upset by that, you shouldn't be using a computer / smartphone, let alone writing about them.

  • totenglocke

    And by “accurate” you mean taking a common sense thing (not using unsecured WiFi networks) and blaming Google for user stupidity.

  • http://twitter.com/master_flahute master_flahute

    writers nowadays will do anything to up readership. Devindra must have written for a tabloid before Venturebeat made the mistake of hiring him.

  • http://www.devindra.org Devindra Hardawar

    I'd love to know how fanboy brains work.

  • http://www.devindra.org Devindra Hardawar

    No I'm shocked that unprotected login sessions are allowed in any OS. But I guess you don't know what the real problem is.

  • totenglocke

    True, it would be nice to know how your Apple fanboy brain works.  As for those of us pointing out the flaws in this “article”, we're just annoyed that someone is blaming GOOGLE because users are idiots and use unsecured networks which exposes them to hackers.  Would you be writing that same flamebait title if this was an iOS or OS X system where people using unsecured networks were exposed to hackers?  I doubt it.

  • http://www.cd-disk.com/android-security-threats-and-how-you-can-stay-safe Android security threats, and how you can stay safe | CD DISK

    [...] May of 2011. It was discovered that almost all Android phones had a security hole in their use of authentication tokens for synchronizing Google services like Gmail. The flaw allowed attackers to steal the token for a [...]

  • http://pctekno.com/android-security-threats-and-how-you-can-stay-safe/ Android security threats, and how you can stay safe | Pc Tekno

    [...] May of 2011. It was discovered that almost all Android phones had a security hole in their use of authentication tokens for synchronizing Google services like Gmail. The flaw allowed attackers to steal the token for a [...]

blog comments powered by Disqus