99.7% of Android smart phones are leaking login data for Google services!
German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm claim that this also allows access to information stored in the cloud!
Now, I don’t normally want to write about security issues on mobile devices, but this just captured my attention and I could not shake it loose.
The problem seems to be in the way that Android Apps request authentication tokens. These tokens eliminate the need for users to login to a particular service, but these tokens are sometimes sent in plaintext form over wireless networks and that means that anyone eavesdropping on the WiFi network could capture and use these tokens.
Even worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another!
I don’t want to sound pessimistic but this wreaks of rushed technology architecture and extremely poor planning when it comes to probability and seriousness of risks inherent with the current Android OS processes that developers follow when delivering Apps to the growing Android user base.
The implications of this vulnerability go from simple disclosure to unwillingly sharing your calendar data. With regard to contact info (your address book on the mobile device), it means that the private information from your contacts is also affected – including phone numbers, home addresses, email addresses etc. If you were the malicious type or simply a corporate spy, you’d probably not consider stealing the info but rather changing it so that emails that the user thinks are being sent to a certain recipient would be sent to another email address instead (without the target knowing about it until it was too late)… given what we’ve seen in recent Wall street news… it would not take a rocket scientist to change a stored email address for the target’s business partners in the hopes of receiving confidential information that could be used for personal gain.
Many of these tokens are valid for 14 days, which means that someone stealing your Android App login token could have two weeks of access to your data!
Grabbing these tokens is child’s play.
Imagine, going to a place in a city where you gain access to a WIFI network called Starbucks or Freenet or MOBILENET etc and you find out that access is FREE and FAST. Would you use it? If you answered yes, you need to understand that with its default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing as soon as the internet connection has been established. While syncing would likely fail (unless the operator of this fake hotspot forwards the requests), they would capture authTokens for each service on your device that attempted to sync. Then, this thief can make use of your tokens and gain access to your data (typically from a different location).
So, what can you do if you rely on your Android handset and Google services to get your work done?
1- Upgrade your handset to a version of Android that offers full HTTPS support for syncing with Google services such as calendar and contacts. If your telco doesn’t offer it… ask them specifically for help to protect your privacy. Some telcos force their users to remain with a particularly vulnerable version of Android , you may have to wait weeks or months for this update from your carrier, or worse still you may never see it.
2- Be suspicious of any free WiFi connection… it’s always a game of quid pro quo
3- Do not use Apps containing private data on WiFi connections that you do not trust.
4- Switch off automatic sync when using open WiFi hotspots (they are not to be trusted).



Entries (RSS)