Turns out that the “vast majority” of Android smartphones are doing a lousy job when it comes to protecting the digital “token” that grants users access to calendars, contacts, and other Google-hosted services—or so says a team of wireless security researchers. But the vulnerability is really only a problem if your phone is connected to an unsecured wireless hotspot—a bad idea in the first place, if you ask me.
The Register has the scoop on the just-discovered security hole, which was announced by a team of researchers at the University of Ulm in Germany and should worry anyone with a handset running anything but Android 2.3.4—in other words, the very latest version of Android.
The focus of the vulnerability, says The Register, is an “improper implementation” of ClientLogin, an authentication protocol that uses digital “tokens” to authenticate users who have correctly entered their Google IDs and passwords. These tokens, once issued, are good for a full two weeks before they need to be renewed—and according to the University of Ulm researchers, smartphones using Android 2.3.3 and earlier are receiving the tokens in what’s known as “cleartext,” which is a jargon-y way of saying that they’re being sent with no encryption whatsoever. In other words, they’re about as private as the back of a postcard.
The trouble really begins when you’re trading these so-called “authTokens” over an open, unsecured Wi-Fi network—you know, like those mysterious but ever-popular “Public WiFi” hotspots that appear in parks, cafes, and other public places. But while generic, wide-open hotspots are both easy and free, they’re also like catnip for hackers, who can scan (or “sniff”) any unencrypted traffic on the network—including, say, an unprotected authToken—as easily as one might flip through an open book. Another risk: “evil twin” hotspots, which masquerade as T-Mobile, AT&T, and other well-known Wi-Fi hotspot providers but are actually controlled by the ne’re-do-wells intent on stealing your data.
Of course, security vulnerabilities like this latest Android scare crop up all the time, and they’re typically repaired with a hastily issued security patch—and indeed, in this case, the researchers quoted in the Register story note that the newly issued Android 2.3.4 plugs the hole. The only problem, of course, is that Android OS updates are usually dependent on phone manufacturers and carriers, who must tailor the software for each specific Android handset. Indeed, plenty of Android phones are still waiting to get an update for Android 2.2, much less Android 2.3.4.
But here’s the thing: even if your Android phone isn’t updated to version 2.3.4 yet, you can still protect yourself from getting your authentication token swiped by avoiding unsecured public Wi-Fi hotspots—which you should probably be doing anyway, particularly if you’re sending and receiving private email or logging into sensitive websites.
Update: Looks like Google has a fix in the works, according to All Things Digital:
“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” Google said in a statement. “This fix requires no action from users and will roll out globally over the next few days.”
99% of Android phones leak secret account credentials [The Register]