Register now » Login
« Login

Forgotten your password?

OsmAnd
« back to "Android Blog & News"

May

17

99% of Android Phones Vulnerable to Attack

by Steven Blum on May 17, 2011 3:24:59 PM — read 1,071 times

(Photo: IntoMobile.com)

That's the conclusion reached by researchers at the University of Ulm, in Germany, who have found that any phones running a version of Android prior to 2.3.3 are vulnerable due to a weak ClientLogin authentication protocol.

Basically, any time an Android user signs into a service like Twitter, Facebook or a new Google account, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, the information is left wide open for thieves to steal. 

Take it away, researchers: 

"To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks...With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing."

Google patched the security hole earlier this month with the release of Android 2.3.4, but any version prior still transmits sensitive data through unencrypted channels. That means that more than 99 percent of Android handsets are vulnerable to the attacks. 

Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. 

What can you do for now? A verizon spokeswoman said users should consider using their devices only on secured networks. 

More on this as the story develops...

Source: Gizmodo   |   Tags:   Android   Malware   Privacy   Security   Security Flaws

Comments


Android Addict
May 17, 2011 3:28:11 PM

My gut reaction was that this was shameless fearmongering but the source seems legit.


Niels Christiansen
May 18, 2011 1:57:05 PM

You could say, with a measure of authority, that the source is correct.

http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

When you read closely you'll learn that there are some issues with Android natively not transmitting in a secure manner.

The cure?

Use a secure network. What OS does *that* not apply to?

Kind regards and safe net usage,


Steven Blum
May 18, 2011 2:12:32 PM

@Niels.. do you think it's entirely unreasonable to expect a phone that can transmit in a secure manner, tho? It seems the responsibility for security must be shared between both carriers and software makers.


Niels Christiansen
May 18, 2011 2:50:40 PM

@Steve Oh no, not at all. Please don't get me wrong. Actually I think Google has been rather lax in inplementing reasonable measures., why weren't they there in the first place?
My initial reaction was more oriented against the mainstream media's coverage of this issue, that while mostly correct without really knowing why, just lambasted Android. (But then, why post my reaction *here*? ;) )
Also, given the focus on privacy there's been over the last several years my reaction was one of suprise. Wake up Google.
You also mention carriers, and it's my impression that all encrypt (although maybe not always so strongly) both data and speech.
Ulm Uni's article warns against unsecured Wi-Fi networks, but maybe the broad audience isn't quite aware of the pitfalls there?

Kind regards, Niels.


Steven Blum
May 18, 2011 3:17:36 PM

@Neils I know we're on the same page. :) Yeah, I also don't understand why companies like Google don't take more care to encrypt, given all the bad press this creates- just look at what happened to Skype!

Yes the media loves stories like this because it gets to be seen as a consumer watchdog (which it kind of is, but is mostly just another business itself!) I don't think the MSM has any beef with Android in particular tho. In fact, the media LOVES stories of David vs. Goliath...and Android USED to be David. :) But these stories certainly tread along the familiar path of Android being this Wild Wild West full of gun-slinging malware and robberies galore.

Write new comment:

You must log in or register now,
to submit a comment!

As a logged in user, you can also change the order of the comments.

 
Ad
Subscribe to the Blog Add to Google

Bookmark / E-Mail

Click on an icon to bookmark this article.
» Send this article via e-mail

Related Topics

Tags / Topics

Archive

Android Forum

General
Android
Google Android Phones
HTC Android Phones
Huawei Android Phones
LG Android Phones
Motorola Android Phones
Samsung Android Phones
Sony Ericsson Android Phones
Other Android Devices
Android Tablets
Other Android Tablets
Android OS Forums
Android Developer Forum
Miscellaneous

Support AndroidPIT

Do you enjoy AndroidPIT? We?re thrilled to have your support! How does it work? Just click on the links below.

Recommend to Others

Enjoy AndroidPIT? Then please let other people know about us!

Questions / Help

Do you have questions about AndroidPIT or simply want to learn more about us? Then you might find the following links helpful.

Search Keywords

Bookmarks

  You are reading: 99% of Android Phones Vulnerable to Attack - AndroidPIT. All times are UTC+02:00. The time now is 6:13 PM.