Most Android Phones Are Leaking Login Data, According to German Researchers
May 17, 2011 1:15 PM –
99.7% of Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud, so claim German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.
The problem is in the way that applications which deal with Google services request authentication tokens. These tokens eliminate the need for the user to login to the service, but as the researcher discovered these tokens are sometimes sent in plain text form over wireless networks. This means that anyone who happened to be eavesdropping on the Wi-Fi network could grab these tokens. What’s worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another.
The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.
To make matters worse, tokens are valid for a long period of time (14 days for Calendar tokens), which means that someone grabbing your token could have two weeks worth of access to your data.
So, if you rely on your Android handset and Google services to get your work done, what can you do? The researchers offer up three suggestions:
- Upgrade your handset to Android which offers HTTPS for Google Calender and Contacts sync. However, you may have to wait weeks or months for this update from your carrier, or worse still you may never see it (Like Verizon customers, who are stuck on Android 2.2.2 despite the fact that it contains multiple known vulnerabilities). – NOTE: This update still leaves Picassa Sync vulnerable.
- Switch off automatic sync when using open Wi-Fi.
- Better still, avoid using affected apps on open Wi-Fi connections.