Another week, another “security risk” alert for a major tech company. Security researchers at the University of Ulm in Germany have tested a theory that had been circulating the web since February on the possibilities in sniffing out and impersonating login information on Android phones through WiFi networks. According to them, “The short answer is: Yes, it is possible, and it is quite easy to do so.”
Ruh roh.
Essentially, the crux of the problem lies in the fact that third-party apps (including Facebook and Twitter and Google ones) that use the ClientLogin authentication protocol are sending authentication tokens out “in the clear” where nefarious people can capture and store them. This isn’t exactly capturing your login and password, but it’s essentially the same outcome because with that authentication token obtained, its as if they logged in successfully to whatever service you planned on. To make matters worse, the Ulm researchers found that the tokesn were valid for 14 days. That’s an eternity in computing terms.
For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.
It affects 99.7% of all Android users. Google has patched the security hole in the latest version of Android (2.3.4 and later), but everyone knows how hard (and infrequent) it is for different carriers and handset manufacturers to roll out updates to Android software.
So what can you do to protect yourself?
The Ulm University folks suggest the following:
- Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this
will change in the future. - Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
- Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
- The best protection at the moment is to avoid open Wifi networks at all when using affected apps.
It’s kind of a pain to avoid using WiFi hotspots, especially with your mobile phone, but if you don’t want to take any chances that there’s someone there waiting to take your logins, it’s the only thing you can do. Your phone’s 3G connection should be more than enough to access your social networks.
This issue has way more potential for harm than the iPhone “location scandal” from a couple weeks ago because of the ease of access to login credentials and the fact that it’ll be very difficult for Google to patch the hole given the fractured nature of the install base. Hopefully Google can figure out a solution soon.
