It’s almost like we can’t go a week without a major mobile security flaw making headlines. German researchers have discovered that pretty much all Android phones (99.7 percent) have a major authentication flaw that could allow hackers to steal your digital credentials over open wireless networks.
They could then use those credentials to access your Google Calendar, Contacts and potentially other apps. Altogether now: Gulp.
It’s a particularly embarrassing security hole for Google, since it appears to be fairly easy to spot. The issue resides in Google’s ClientLogin authentication protocol for apps in Android 2.3.3 and earlier. Normally, apps use the protocol to request an authentication token (authToken), which contains your Google account credentials, and it can be reused for two weeks. But the researchers discovered that authTokens can also be easily sniffed by hackers when sent over unencrypted HTTP connects and open wireless networks.
According to the researchers — Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm in Germany — the authToken isn’t bound to any particular user session or device, which means hackers can use the sniffed authToken to change your Google contacts, calendar events and gain access to any other apps relying on ClientLogin.
The good news is that most of the issues appear to be fixed in Android 2.3.4 and beyond. There still seem to be potential issues syncing with Picasa, but Google is apparently working on a fix. The bad news is that most Android owners are still running older, vulnerable versions of the software, and Android manufacturers and carriers still haven’t perfected the art of delivering updates to consumers in a timely manner.
The security flaw is also reminiscent of the hubbub surrounding the Firefox extension Firesheep, which lets you easily track unsecured website logins from open Wi-Fi networks.
For now, the researchers say you can protect yourself by staying off of unprotected Wi-Fi networks, or if you have to connect to one, switch off automatic synchronization in your Android settings. It will also help to have your Android phone forget the wireless networks it connects to, which will prevent hackers from spoofing familiar Wi-Fi hotspot names (a process known as an evil twin attack).
The researchers also suggest that developers switch all of their apps to the more secure HTTPS protocol for ClientLogin authentication, and that Google severely limit the lifetime of an authToken.