Android vulnerability exposes users to data theft

From InfoWorld: Android users running apps over an unsecured Wi-Fi network run the risk of having their authentication tokens swiped by eavesdroppers. Those tokens can be used to secretly view and tamper with your contacts, calendars, email, and other information, according to research from University of Ulm.

The bad news: Smartphones running Android 2.3.3 or earlier -- which accounts for 99.7 percent of Android devices -- are most vulnerable. The good news: Developers, users, and Google can take steps to reduce the risks.

The vulnerability can affect apps that access Google services, such as Calendar or Contacts, via the ClientLogin authentication protocol, according to the researchers. Using ClientLogin, an app requests an authentication token from the associated Google service. That authToken can be conveniently (from a user perspective) repurposed for subsequent service requests for two weeks.

The problem is, if the authToken is used in a request sent via an unencrypted insecure connection (HTTP instead of HTTPS), an eavesdropper can grab it and use it for that 14-day period to get at user data made available through the service. Compounding the problem, the authTokens aren't bound to any session or device-specific information.

Thus, "[an] adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," according to the researchers. "This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

View: Article @ Source Site