99% of Android Phones Vulnerable to Data Leak; Google Working on Quick Fix

Researchers in Germany have uncovered a security flaw in Android. Frighteningly, 99 percent of Android users are presently affected, as the flaw hits users who are presently on any version of the OS lower than the most recent 2.3.4 – So basically anyone who doesn't have an updated Nexus One or Nexus S.

The security flaw is from a lack of secure connection between Android and Google's authentication system. When a user submits login credentials for Calendar or Contacts, Google returns an authentication token that's sent over HTTP. That token can be used for 14 days for access to a user account.

This problem doesn't affect Android versions 3.0 or 2.3.4 as much as it does all the versions before it, as they use HTTPS for Calendar and Contacts. Picasa, however, remains transmitted insecurely.

Researchers say that hackers can easy extract this information from an Android phone through the use of a fake, "dummy" wireless network that a user's phone would try to connect itself to.

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

This oversight is a huge problem as the vast majority of Android devices don't have the immediate access to new versions like the Nexus phones do. Fortunately, Google is able to implement a server side fix that should patch things up for Calendar and Contacts on all Android versions, though Picasa is still a question mark.

Reported by Computerworld, Google's official statement is:

Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

(Get apps for your Android OS smartphone from our downloads section)

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • owned
  • Don't get me wrong. It's good that they discovered this before anything serious could come of it. But, this is just the latest example of how every OS brand has it's own flaws to deal with. Take that all you finger pointers and name namers!

    In other news: Today Company X failed to imagine this one scenario that left users vulnerable when this one thing that COULD happen if some bad people thought of this one way to steal from someone else while the end user was using this one feature in a specific manner. It's a good thing this one guy, out of 6 billion (6,000,000,000) people, that doesn't work for Company X imagined this could happen before some bad guy did. Say it with me now... "SHAME ON COMPANY X FOR HAVING A LACK OF IMAGINATION!"

    Yeah... Everyone fails sometimes. It's how we deal with it that proves who we really are.
  • FYI
    That was not a shot at Tom's in any way. I think it's good that people know about the issue so they can take steps to prevent any problems for themselves. I was only poking fun at the aforementioned folks in the first part of what I typed.