X

Sign in

Sign in to confirm

Have you forgotten your password?

... or login with Facebook:

Don't have an AndroidPIT account yet? Sign up

99% of Android Phones Vulnerable to Attack

Steven Blum
6

(Photo: IntoMobile.com)

That's the conclusion reached by researchers at the University of Ulm, in Germany, who have found that any phones running a version of Android prior to 2.3.3 are vulnerable due to a weak ClientLogin authentication protocol.

Basically, any time an Android user signs into a service like Twitter, Facebook or a new Google account, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, the information is left wide open for thieves to steal. 

Take it away, researchers: 

"To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks...With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing."

Google patched the security hole earlier this month with the release of Android 2.3.4, but any version prior still transmits sensitive data through unencrypted channels. That means that more than 99 percent of Android handsets are vulnerable to the attacks. 

Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. 

What can you do for now? A verizon spokeswoman said users should consider using their devices only on secured networks. 

More on this as the story develops...

Comments

Write new comment:
  • Android Addict May 17, 2011 Link

    My gut reaction was that this was shameless fearmongering but the source seems legit.

    0
  • Niels Christiansen May 18, 2011 Link

    You could say, with a measure of authority, that the source is correct.

    http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

    When you read closely you'll learn that there are some issues with Android natively not transmitting in a secure manner.

    The cure?

    Use a secure network. What OS does *that* not apply to?

    Kind regards and safe net usage,

    0
  • Steven Blum May 18, 2011 Link

    @Niels.. do you think it's entirely unreasonable to expect a phone that can transmit in a secure manner, tho? It seems the responsibility for security must be shared between both carriers and software makers.

    0
  • Niels Christiansen May 18, 2011 Link

    @Steve Oh no, not at all. Please don't get me wrong. Actually I think Google has been rather lax in inplementing reasonable measures., why weren't they there in the first place?
    My initial reaction was more oriented against the mainstream media's coverage of this issue, that while mostly correct without really knowing why, just lambasted Android. (But then, why post my reaction *here*? ;) )
    Also, given the focus on privacy there's been over the last several years my reaction was one of suprise. Wake up Google.
    You also mention carriers, and it's my impression that all encrypt (although maybe not always so strongly) both data and speech.
    Ulm Uni's article warns against unsecured Wi-Fi networks, but maybe the broad audience isn't quite aware of the pitfalls there?

    Kind regards, Niels.

    0
  • Steven Blum May 18, 2011 Link

    @Neils I know we're on the same page. :) Yeah, I also don't understand why companies like Google don't take more care to encrypt, given all the bad press this creates- just look at what happened to Skype!

    Yes the media loves stories like this because it gets to be seen as a consumer watchdog (which it kind of is, but is mostly just another business itself!) I don't think the MSM has any beef with Android in particular tho. In fact, the media LOVES stories of David vs. Goliath...and Android USED to be David. :) But these stories certainly tread along the familiar path of Android being this Wild Wild West full of gun-slinging malware and robberies galore.

    0