99.7% of Android smart phones are leaking login data for Google services!
German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm claim that this also allows access to information stored in the cloud!

Now, I don’t normally want to write about security issues on mobile devices, but this just captured my attention and I could not shake it loose.

The problem seems to be in the way that Android Apps request authentication tokens. These tokens eliminate the need for users to login to a particular service, but these tokens are sometimes sent in plaintext form over wireless networks and that means that anyone eavesdropping on the WiFi network could capture and use these tokens.

Even worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another!

I don’t want to sound pessimistic but this wreaks of rushed technology architecture and extremely poor planning when it comes to probability and seriousness of risks inherent with the current Android OS processes that developers follow when delivering Apps to the growing Android user base.

The implications of this vulnerability go from simple disclosure to unwillingly sharing your calendar data. With regard to contact info (your address book on the mobile device), it means that the private information from your contacts is also affected – including phone numbers, home addresses, email addresses etc. If you were the malicious type or simply a corporate spy, you’d probably not consider stealing the info but rather changing it so that emails that the user thinks are being sent to a certain recipient would be sent to another email address instead (without the target knowing about it until it was too late)… given what we’ve seen in recent Wall street news… it would not take a rocket scientist to change a stored email address for the target’s business partners in the hopes of receiving confidential information that could be used for personal gain.

Many of these tokens are valid for 14 days, which means that someone stealing your Android App login token could have two weeks of access to your data!

Grabbing these tokens is child’s play.

Imagine, going to a place in a city where you gain access to a WIFI network called Starbucks or Freenet or MOBILENET etc and you find out that access is FREE and FAST. Would you use it? If you answered yes, you need to understand that with its default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing as soon as the internet connection has been established. While syncing would likely fail (unless the operator of this fake hotspot forwards the requests), they would capture authTokens for each service on your device that attempted to sync. Then, this thief can make use of your tokens and gain access to your data (typically from a different location).

So, what can you do if you rely on your Android handset and Google services to get your work done?

1- Upgrade your handset to a version of Android that offers full HTTPS support for syncing with Google services such as calendar and contacts. If your telco doesn’t offer it… ask them specifically for help to protect your privacy. Some telcos force their users to remain with a particularly vulnerable version of Android , you may have to wait weeks or months for this update from your carrier, or worse still you may never see it.
2- Be suspicious of any free WiFi connection… it’s always a game of quid pro quo
3- Do not use Apps containing private data on WiFi connections that you do not trust.
4- Switch off automatic sync when using open WiFi hotspots (they are not to be trusted).

A lot of text has been written recently about the failings of the Android tablet in the market. The Motorola XOOM failed to come out of the closet with the new version of Google’s tablet optimized Android OS. Apparently, Google threw Android under the bus by stating that versions of the OS prior to Honeycomb were just not good enough to run on tablets.
Whatever you think about Honeycomb (the version of Android which is supposed to be optimized for tablets) in its current state, Google understands that having Apps optimized for the tablet form is critical to sway consumer acceptance. Apple understands this, and did a reasonably good job making sure that there were enough desirable Apps in the App Store on iPad launch day to get things rolling. Google, even with the advantage of having seen it done right, hasn’t emulated success. G clearly hasn’t done enough to get developers to produce Apps for Honeycomb, nor have they released the Honeycomb code so that developers can get to work. What’s worse is that the hacker robots are still out there actively laying in wait for overzealous developers to launch Android Apps so that they can quickly rip apart the code (after all that’s what open source is all about these days) and submit the App to the world’s torrent sites within 48 hours to the dismay of the bawling developer.
It’s no wonder that there are no significant tablet Apps for Android in the Market given the state of support by Google. Worse, even though Google has as much to lose as anyone due to a lack of Honeycomb Apps, it hasn’t produced any itself! Google writes a lot of software, so why haven’t they filled Honeycomb tablets with awesome and non evil Apps from their own camp?
This past week Google released an Android app for Google Docs. Sure, Android users can now be happy as clams to get this release but, it is a big missed opportunity for Google and the Honeycomb tablets. We wonder why Google Docs wasn’t rolled out on the new tablet OS first? After all, the larger form of the tablet is ideally suited for working with documents. If Google isn’t willing to put in the time and effort to promote its own services on its own mobile platforms then why should anyone else?
Right now there should be dozens of Apps for Honeycomb that make Android users drool with glee when they ponder their next tablet encounter with Gmail, Google Calendar and Contacts. Sure, there is a decent Gmail app for Honeycomb, but not something amazing or cool. The calendar App on the XOOM is unfortunately one of the worst mobile calendar Apps that I have ever seen, on any platform. Either it is a total embarrassment to the platform or it indicates how much thought and planning went into the software design prior to coding. We wonder if there were any engineers above the age of 21 on that project given some of the UI decisions made. Google should have produced a suite of Honeycomb Apps that makes everyone who uses Google services rush out to buy a tablet just for the Apps. But that would mean that these Google-heads actually paid attention during Steve Job’s lectures on the topic over the past 18 months.
OK, I do not want to enter the realm of Google bashing but G has taken a very narrow view of what needs to be done to deliver Honeycomb, and has limited coding to the OS. The many reviews of Honeycomb to date, report that it is half-baked and sadly not ready for prime time. That failure is made apparent in the market for Android tablets, where there is not a single successful tablet either available or in the pipeline.
Given the state of Honeycomb as a platform, the propensity and consistency with which the hacker community has been able to turn a developer’s sweat and tears into freely downloadable wares combined with Google’s failure to produce decent Apps of its own, it is no wonder developers are not rushing to produce Honeycomb Apps.
There’s no indication that there will be a return for any serious efforts any time soon. Unfortunately, that doesn’t bode well for the viability of Honeycomb devices in the near future. It’s the classic chicken v. egg… you need Apps on the Android tablets for them to have a chance in the marketplace. In the meantime, all hail great Apps, the true king of tablets.