Wednesday, May 18, 2011

Android Security Hole a Problem for 99% of Users, researchers say

Android has another security problem. According to researchers at Ulm University Institue of Media Informatics in Germany, hackers can exploit Android authTokens when users are on an unencrypted WiFi network.

The authTokens are used to login to sites like Facebook, Twitter and Google applications like calendar and contacts. The security hole is found within the ClientLogin authentication used by Google services to access APIs. The vulnerability affects any Android smartphone user who has not updated to Gingerbread 2.3.4 (they were unsure about Honeycomb 3.0). Considering that almost no Android phones have Gingerbread at this point, that means about 99% of users are vulnerable to the exploit.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis," the Ulm researchers wrote. "The short answer is: Yes, it is possible, and it is quite easy to do so."

The findings were first reported by The Register.
Tokens used by ClientLogin are stored for two weeks and the security hole allows for hackers to break into the phone and access the tokens even if the information is not being actively sent through and unencrypted network connection. The researchers said that the attack is similar to a hack known as "Sidejacking" that steals cookie sessions of websites and was the attack used in the Firesheep plugin that made noise earlier this year.

Read more: ReadWriteWeb