Android authToken Bug Places 99% of Handsets at Risk

The bad news: Google's Android platform has a vulnerability that could allow the credentials used to access Google Calendar, Contacts and possibly other accounts to be stolen. The good news: Google fixed this in Android 2.3.4. More bad news: Android 2.3.4 is only on 1 percent of Android handsets (it's that fragmentation thing).

The problem stems from an error in Google's implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and lower. Once a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, an authentication token is delivered, but the problem is that the token is sent in cleartext. The authToken allows access to the logged-in service for up for 14 days, without requiring another login.

The researchers, from Germany's University of Ulm said that hackers could capture such authTokens en masse if they leveraged the fact that devices will attempt to reconnect to a previously known network (assuming that setting is enabled in the OS). The reconnection is based on the network's SSID. Thus:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
For the 99 percent of people who do not have a fix, the best way to avoid the issue is to avoid unsecured wi-fi networks. Google is aware that even with the fix in place, devices synchronizing with Picasa web albums transmit sensitive data through unencrypted channels; they are working on a fix. 
Via:  The Register
Tags:  Android, Google, security
Comments
rapid1 3 years ago

One big point to make here if you have a tablet or a smart phone whether it is Android, Symbian, Microsoft, Apple or any other manufacturer/OS turn off the auto wireless network connection ability and or search ability. That is the weakest point on a smart device connection wise. Yes you can connect to wireless connections, but connect to them manually so you know what, and who you trusting with your info. I would say the same for a Smart Phone, Slate/Tablet, Laptop, Netbook, and any other device you may have that performs this type of action having any kind of personal data on it.

schmich 3 years ago

Google needs to get some sort of system files updater...system going. Just like every desktop OSs has. Why can't 1-2 system files get updated if it doesn't break anything? It would also help fragmentation.

I really don't get why the OS has to get new versions all the time. Surely 2.3.3 should be upgradeable to 2.3.4 without having to wait for a carrier to make a completely new rom.

coolice 3 years ago

^ well i'd assume thats the problem. If every rom were just a vanilla rom, then No problem! updating isnt a big issue. its when the carries start making their own customizations or when companies start making their customizations, oh boy, then it becomes a little hard i'd assuming to upgrade.... certain upgrades might interfere/ halter others working functions.

though your right, the next iteration of android should be figuring out a way to upgrade the core software when needed by google, but not touching the "skins" applied by others. That should be the next installment for android 2.4... Ice Cream??

as for the bloatware that comes with the phones, have them on the carriers website that way you can download and install the ones you want.

rapid1 3 years ago

Yeah; coolice you have that right. vanilla rom's are great, but they do not matter. As per my experience Vanilla Android does the auto connect feature as well. So does iOS as well as any OS on any smart phone/device or at least predominately. All you have to do is turn the auto off just like on a commercial wireless router. Of course we know how often that is done as well, but the general public has absolutely no clue at all. I run my wireless/Ethernet router as secure as possible on a commercial product. I even wrote a guide on how to secure your wireless router for a class project a couple years back in a class I was taking. The teacher loved it, and no one else paid it any attention even though it available to the class Some of the members (a few) new what I was saying and already had there routers at least secure past factory setting. The largest part pay it no attention just like the general public does at home and will do on there smart phones. I even have 2 people with Apple air routers in my neighborhood I can highjack all of there networks and data in 5 seconds if I ever wanted to. Predominately the sheep do not exist in Apple's lone pasture if you get what I am saying!

Post a Comment
or Register to comment