Authored by:

99% of Android Phones Vulnerable to Attack

Authored by: Steven Blum — May 17, 2011

(Photo: IntoMobile.com)

That's the conclusion reached by researchers at the University of Ulm, in Germany, who have found that any phones running a version of Android prior to 2.3.3 are vulnerable due to a weak ClientLogin authentication protocol.

Basically, any time an Android user signs into a service like Twitter, Facebook or a new Google account, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, the information is left wide open for thieves to steal. 

Take it away, researchers: 

"To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks...With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing."

Google patched the security hole earlier this month with the release of Android 2.3.4, but any version prior still transmits sensitive data through unencrypted channels. That means that more than 99 percent of Android handsets are vulnerable to the attacks. 

Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. 

What can you do for now? A verizon spokeswoman said users should consider using their devices only on secured networks. 

More on this as the story develops...

Source: Gizmodo

Steven Blum has written more than 2,000 blog posts as a founding member of AndroidPIT's English editorial team. A graduate of the University of Washington, Steven Blum also studied Journalism at George Washington University in Washington D.C. for two years. Since then, his writing has appeared in The Stranger, The Seattle P-I, Blackbook Magazine and Venture Villlage. He loves the HTC One and hopes the company behind it still exists in a few years.

5 comments

Write new comment:
  • Steven Blum May 18, 2011 Link to comment

    @Neils I know we're on the same page. :) Yeah, I also don't understand why companies like Google don't take more care to encrypt, given all the bad press this creates- just look at what happened to Skype!

    Yes the media loves stories like this because it gets to be seen as a consumer watchdog (which it kind of is, but is mostly just another business itself!) I don't think the MSM has any beef with Android in particular tho. In fact, the media LOVES stories of David vs. Goliath...and Android USED to be David. :) But these stories certainly tread along the familiar path of Android being this Wild Wild West full of gun-slinging malware and robberies galore.

    0
  • Niels Christiansen May 18, 2011 Link to comment

    @Steve Oh no, not at all. Please don't get me wrong. Actually I think Google has been rather lax in inplementing reasonable measures., why weren't they there in the first place?
    My initial reaction was more oriented against the mainstream media's coverage of this issue, that while mostly correct without really knowing why, just lambasted Android. (But then, why post my reaction *here*? ;) )
    Also, given the focus on privacy there's been over the last several years my reaction was one of suprise. Wake up Google.
    You also mention carriers, and it's my impression that all encrypt (although maybe not always so strongly) both data and speech.
    Ulm Uni's article warns against unsecured Wi-Fi networks, but maybe the broad audience isn't quite aware of the pitfalls there?

    Kind regards, Niels.

    0
  • Steven Blum May 18, 2011 Link to comment

    @Niels.. do you think it's entirely unreasonable to expect a phone that can transmit in a secure manner, tho? It seems the responsibility for security must be shared between both carriers and software makers.

    0
  • Niels Christiansen May 18, 2011 Link to comment

    You could say, with a measure of authority, that the source is correct.

    http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

    When you read closely you'll learn that there are some issues with Android natively not transmitting in a secure manner.

    The cure?

    Use a secure network. What OS does *that* not apply to?

    Kind regards and safe net usage,

    0
  • Android Addict May 17, 2011 Link to comment

    My gut reaction was that this was shameless fearmongering but the source seems legit.

    0