Security hole could affect 99% of Android smartphones

Filed Under: Android, Data loss, Google, Mobile, Privacy, Vulnerability

Android smartphoneAccording to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.

The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.

According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol", in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information "in the clear" via HTTP, and retrieve an authentication token (authToken) from Google.

That means that there's the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.

Wireshark sniffing an authToken

As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data - such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.

Yuck!

The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.

According to the researchers, Google has fixed the problem in Android 2.3.4. But there's the rub. Just how many people are still running older versions of the Android OS?

Android OS platform usage

Approximately 99% of Android users are vulnerable, as they haven't updated to at least version 2.3.4 (codenamed "Gingerbread").

GingerbreadUnfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.

Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.

But what should you do if you're a concerned Android owner?

My recommendation would be to upgrade to the latest version of Android if at all possible.

Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you're worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.

Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped upon.

Update: Good news. Google has started rolling-out a fix for this vulnerability.

, , , , , , , , , ,

You might like

10 Responses to Security hole could affect 99% of Android smartphones

  1. Andrew · 1252 days ago

    You could also disable Automatic Sync and not send authentication tokens to Google...

    • annabella · 1251 days ago

      my sync is disabled...but, thank you for posting that, or i wouldn't have known to check :)

  2. Thankfully I'm running 2.3.4 :) via my amazing MIUI ROM from http://www.miui.us

    And if you're not running 2.3.4, just don't be a goober and connect to unencrypted WiFi networks.

  3. Alex · 1251 days ago

    how is the 3g safe? how is it protected since I dont have to enter a password? Could a bad guy sniff the 3g traffic? Thanks in advance I dont know how that works.

    • Maczet · 1251 days ago

      3G is safe insofar as the data twixt handset and cellular base station is encrypted.

    • Jay · 1251 days ago

      The article says this affects WiFi traffic, not 3G.

    • Matt · 1251 days ago

      It's already encrypted with the authentication data on your SIM I believe. I don't know much about it, but the reason people can sniff on unencrypted WiFi is because you haven't entered a password to encrypt your data with.

  4. This is specifically talking about connecting over wifi. I have wifi disabled at all times as I never use it, hence all my traffic goes over 3g. to my knowledge it is far harder to sniff 3g coz of its own two key encrypted signals, while wardriving is a piece of cake to do.

    tip is to refrain from using wifi until this exploit is fixed.

  5. boggett2001 · 1251 days ago

    If I don't use the Google calendar feature anyway, do I still need to worry about this?

  6. JMM · 1251 days ago

    What version of Android is the HTC DROID ERIS?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.