Serious Security Flaw Plagues Android Phones

Andy Chalk

One Flag, One Fleet, One Cat
Nov 12, 2002
45,698
1
0
Serious Security Flaw Plagues Android Phones


German researchers have discovered that 99.7 percent of Android smartphones on the market are vulnerable to a security exploit that could give hackers access to calendars, contact information and even private web albums.

I picked up an Android-powered HTC smartphone a couple weeks ago and let me tell you, it is awesome. But according to a group of researchers at Ulm University [http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html] in Germany, it's also vulnerable to a relatively simple but potentially devastating exploit thanks to apps that transmit data "in the clear," including not just third-party software but also Google's own Calendar app. Eavesdroppers, it turns out, can access this information and use it to access a wide range of Google services.

"ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via an HTTPS connection," the report explained. "Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API."

Through this exploit, hackers can not just view a user's calendar, contacts and web albums but actually modify or delete all the information contained within. The Google Calendar and Contacts sync began using secure HTTPS connections to transmit data with Android version 2.3.4 but the Picasa synchronization still uses HTTP and thus remains vulnerable. Furthermore, the report says, "this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS."

A Google representative told Eurogamer [http://www.next-gen.biz/news/study-claims-997-per-cent-of-android-devices-vulnerable-to-hacking] that the company knows about the problem and is in the process of correcting it. "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa," the rep said.

On the upside, this security hole doesn't appear to expose Android users to the sort of "one fell swoop" attack like the one that brought down the PlayStation Network, but on a less optimistic note the report claims that as of May 2, 99.7 percent of all Android phones are affected by the security flaw. Fortunately, it also has a few suggestions for protecting yourself against eavesdroppers: upgrade to the latest version of Android as soon as possible, switch off automatic syncing when connecting to open Wifi networks, set your device to forget open networks you've previously connected to and, if possible, just don't use affected apps on open WiFi networks.


Permalink
 

maddog015

New member
Sep 12, 2008
338
0
0
Well, hardly use wifi as it is. I mean, 3G is good enough for me. Unless of course they can get me while I'm on 3G...in which case, maybe I'll just stop using my phone.
 

Falseprophet

New member
Jan 13, 2009
1,381
0
0
Well I'd love to upgrade to 2.3 but I'm in the digital wasteland of Canada where we get upgrades a year after the rest of the world.
 

DasDestroyer

New member
Apr 3, 2010
1,330
0
0
I have a good app checker, only use my home's secure wifi and only use apps that I am sure of, so I'd say I'm safe.
 

Tzekelkan

New member
Dec 27, 2009
498
0
0
Good to know they're fixing it. Also, excellent choice of smartphone, sir. I'm typing this on an HTC Desire S right now.