99% of Android Phones Vulnerable to Data Leak; Google Working on Quick Fix
Beware of evil twin Wi-Fi.
Researchers in Germany have uncovered a security flaw in Android. Frighteningly, 99 percent of Android users are presently affected, as the flaw hits users who are presently on any version of the OS lower than the most recent 2.3.4 – So basically anyone who doesn't have an updated Nexus One or Nexus S.
The security flaw is from a lack of secure connection between Android and Google's authentication system. When a user submits login credentials for Calendar or Contacts, Google returns an authentication token that's sent over HTTP. That token can be used for 14 days for access to a user account.
This problem doesn't affect Android versions 3.0 or 2.3.4 as much as it does all the versions before it, as they use HTTPS for Calendar and Contacts. Picasa, however, remains transmitted insecurely.
Researchers say that hackers can easy extract this information from an Android phone through the use of a fake, "dummy" wireless network that a user's phone would try to connect itself to.
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.
This oversight is a huge problem as the vast majority of Android devices don't have the immediate access to new versions like the Nexus phones do. Fortunately, Google is able to implement a server side fix that should patch things up for Calendar and Contacts on all Android versions, though Picasa is still a question mark.
Reported by Computerworld, Google's official statement is:
Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
(Get apps for your Android OS smartphone from our downloads section)
- VIDEO: Wii 2/Project Café Caught on Camera
- Intel: Our Nokia Partnership Was a Mistake
- Corner Light Illuminates Dark, Webby Corners
- Forrester Explains The Post-PC Era
- Microsoft: 1 Out of 14 Downloads is Malware
- Charge Your Phone Via Jogging!
- Eole: The Wind-Powered Wrist Watch
- Linux Emulator That Runs In Your Web Browser
- Password Recovery Bug Puts PSN Users at Risk
- U.S. Could Send Military to Deal With Hackers
- Facebook Scanning for Child Porn, Missing Kids
- Apple Closer to Launching Cloud Music Service
- Cell Phone Use Believed To Reduce Male Fertility
- Sony Patches PlayStation Password Change Exploit
- Bluetooth Headset or Tiny Golden Phone?
- The AT&T / T-Mobile Senate Hearing Summary
- Verizon May Switch From Unlimited to Shared Data
- Enjoy Nature in the Treehugger Pavilion
- What Is the Value Of Electric Car Convenience?
owned
Don't get me wrong. It's good that they discovered this before anything serious could come of it. But, this is just the latest example of how every OS brand has it's own flaws to deal with. Take that all you finger pointers and name namers!
In other news: Today Company X failed to imagine this one scenario that left users vulnerable when this one thing that COULD happen if some bad people thought of this one way to steal from someone else while the end user was using this one feature in a specific manner. It's a good thing this one guy, out of 6 billion (6,000,000,000) people, that doesn't work for Company X imagined this could happen before some bad guy did. Say it with me now... "SHAME ON COMPANY X FOR HAVING A LACK OF IMAGINATION!"
Yeah... Everyone fails sometimes. It's how we deal with it that proves who we really are.
FYI
That was not a shot at Tom's in any way. I think it's good that people know about the issue so they can take steps to prevent any problems for themselves. I was only poking fun at the aforementioned folks in the first part of what I typed.
lol, thats the cloud for ya...
This game will continue until those convicted of "playing" it get to hear a loud fail horn and see
"GAME OVER" in bright lights just before someone ruins their day with a single large caliber round to the head.
one of the best comments I've ever read here, ThisIsMe. +10 to you, sir, and a Green Thumbs Up (if they worked).
Exactly. The Android loonatics that laughed when this happened to WP7 last year seem pretty quiet in this thread - I wonder why that is.
This sort of thing happens to every OS - none are immune.
droid is still greater than iphone..
you shouldnet store passwords anyways...
lol...what's new...google and security? you have got to be kidding me, lol
droid is still greater than iphone..you shouldnet store passwords anyways...
This isn't about storing passwords. You have to access your stuff by typing a username and password. No way around that. When you do that on an unsecured network and happen to use HTTP instead of HTTPS, that's what could happen.
...Or unless you are running a HTC Incredible with a Gingerbread rom running Android 2.3.4
=]
Man, won't Google stop "torturing" it's users already. Sheesh
Come on Google, this is not good enough!
I wonder how different the reaction would be if this MASSIVE failure on Google's part leaving EVERY user vulnerable while using public Wifi has been done by Apple...
Just shows that the objectivity is severely lacking with the apple-haters.
Wonder if this was the security fix implemented in Cyanogenmod 7.0.3
I wonder how different the reaction would be if this MASSIVE failure on Google's part leaving EVERY user vulnerable while using public Wifi has been done by Apple...Just shows that the objectivity is severely lacking with the apple-haters.
Seriously, come on get real!
Google do stuff for FREE!!!!!!! for every individual in the world, for FREEEEE!!!!!!!
Apple charge a massive premium for every single product they sell !!!!!!!!!
Jobs SUCKS!!!!!!!
Ever stopped to wonder why there are so many APPLE HATERS?
Thought not!
Apple: Hey we have a new product for you.
Applelover: Oh yeah?! What's new about it?
Apple: Don't worry about that. It's new.
Applelover: What? Oh okay.
Apple: You don't want to be left in the past now do you? Come on..
Applelover: How much?
Apple: How much you got?
Applelover: My life savings.
Apple: I'll take it.
Google do stuff for FREE!!!!!!! for every individual in the world, for FREEEEE!!!!!!!
Is that why they made 8.5billion dollars profit last year? Google has a higher profit margin than Apple ffs!
I can't imagine a better response from Google. They roll out a quick fix as soon as they're aware that there's a problem. What more could one expect? (I know, one could expect perfection as Thisisme already pointed out so well.)
Is that why they made 8.5billion dollars profit last year? Google has a higher profit margin than Apple ffs!
Umm one word ADVERTISING!!!!!!!!
You do not pay, advertising pays! You search or e-mail or browse for FREE FFS!
quick fix that will take carriers months to release lol
I wonder how different the reaction would be if this MASSIVE failure on Google's part leaving EVERY user vulnerable while using public Wifi has been done by Apple...Just shows that the objectivity is severely lacking with the apple-haters.
Sorry, but no. The difference is that other than one poster so far, google folks are like "well, it's good it got caught before any widespread use" and "that sucks", "I'm glad they're fixing this quickly", etc.
If it'd been apple that had done it, the google response would be expected, but the apple users would say stuff such as "it's a feature!" or "who would do that anyway, it's not a big deal" or, "I don't mind, I think it's kind of cool really".
You see the difference, right?
Apple: Hey we have a new product for you.Applelover: Oh yeah?! What's new about it?Apple: Don't worry about that. It's new.Applelover: What? Oh okay.Apple: You don't want to be left in the past now do you? Come on..Applelover: How much?Apple: How much you got?Applelover: My life savings.Apple: I'll take it.
Thanks for the smiles. Thumbs up.
For comments like:
"This sort of thing happens to every OS - none are immune."
"quick fix that will take carriers months to release lol"
Please read the entire article!!
This is not a bug on android and carriers have nothing to do with it.
This is a server side issue and it will get fixed in a couple days.
And thats why you shouldnt be connecting to random wifi networks...
Sorry to be a grammar Nazi... the appropriate word is "easily"...
Well, Sony worked on the PSN subject very "quickly"... We all saw how that turned out, lol.
Don't fail on us, Google. At least, security wise XD
Cheers!
Umm one word ADVERTISING!!!!!!!!You do not pay, advertising pays! You search or e-mail or browse for FREE FFS!
Google's high advertising prices (google had a 29% profit margin last year) raise the costs of other companies, which ultimately increases the price of products you buy.
(And don't forget about your loss of privacy.)
Nothing in life is free. Things are indeed quite expensive if a company has a market dominating position like Google.
That's part of the reason why I stick with RIM. Might not have all the bells and whistles but never have to worry about any kind of security issue.
for all the fanboys, this has been a issue for sometime now. no im not going to google it for you. it's become a big enough issue for google to do something about it. i just wish toms would post the whole story as to not be feeding the trolls.
Doesn't affect me from the details I read in the article. I turned off Wi-Fi the day I got my Droid 2.