The truth about the latest Google Android security scare (Updated)

The truth about the latest Google Android security scare (Updated)

Summary: Another day, another security scare. Should you be worried about this one? Find out out the truth here.

SHARE:
TOPICS: Security
33

A security vulnerability in some Google apps on Android has everybody stirred up again, so let's put this into perspective. In this article we'll explain why the threat is overblown and not even Android specific.

Update: And besides that, a fix is already being deployed.

In case you missed it, researchers in Germany found that if they hooked up a piece of hardware called a packet sniffer to an unprotected WiFi network they could see "authorization tokens" being transmitted in the clear to servers used by certain apps like Google Calendar.

A token is a long gobbledygook string of characters that the server creates and uses instead of your password (which is kept secret). An attacker watching this token go by can write a program that uses it to pretend to be you for a limited time. For example if you connect to the server with a buggy version of Google Calendar while someone nearby is watching then they can read and write items in your calendar.

This kind of vulnerability is well known, and many applications have run into it over the years. For example, Facebook and Twitter had the same problem. Their solution was to turn on encryption all the time, not just for the initial password exchange. Encryption increases load on the server and client but obviously in this case it's worth it.

The story is getting a lot of attention because it was noticed on Android, but it's not, in fact, an Android vulnerability. It's a security bug in any program that does not encrypt its authorization tokens. Google Calendar, Contacts, and Gallery, which were shipped in all versions of Android prior to 2.3.4, are three such programs. There may be others. The Calendar plug-in for Mozilla Thunderbird, which is a program that runs on PC, Mac, and Linux is another. GMail is NOT affected. Nobody has found the problem in banking and shopping programs either.

When I first read about the problem I thought "meh, no big deal", but seeing the coverage today you'd think the world was coming to and end (we have until May 21st, remember?). Here are a few examples (emphasis mine):

  • SJVN's article, "Android has a GAPING NETWORK SECURITY HOLE", says the attack is "quite easy" and tells us "we are so hosed". He continues by saying "Google, the Android smartphone and tablet makers, and the telecoms must fix this. Now." First of all, it's not an Android problem, and to call it "gaping" is to overstate the severity. An attack would require special hardware and/or software, not to mention physical proximity and an unprotected network. Obviously, all security problems are serious and should be fixed.
  • Adrian Kingsley-Hughes's article, "99.7% of all Android smartphones vulnerable to SERIOUS DATA LEAKAGE", says that "A whopping 99.7% of Android smartphones are leaking login data for Google services". Well, no. Some apps running on Android phones, PCs, and Macs could potentially leak authentication tokens in just the right circumstances. Your login data, by which I mean your userid and password, are not leaked. Adrian admits as much in the second paragraph, but hey, who reads that far.
  • Gloria Sin's article, "Most Android devices VULNERABLE TO IDENTIFY THEFT", warns that "web-based services like GMail" are vulnerable because of "how Android devices handle login information". That's not right. The Android operating system is not doing anything with your login information, it's some apps that run on Android, PC, and Mac. Furthermore, GMail is not affected by this particular bug. Gloria makes it worse by claiming that "problems could arise from hackers changing an unsuspecting person’s password, to gaining access to sensitive emails and private photos." No, photos maybe, but passwords and emails are safe. There's nothing here to help somebody steal your identity.

Should you be worried? Until a patch is available (either through the Market or an Android update) the problem can be avoided by not using the affected applications in a vulnerable situation. What's a vulnerable situation? Based on the information we have so far, IF you sync your calendar or contacts while using the open WiFi of the local StarBucks or airport, and IF somebody within 50 feet or so of you is waiting for you to do that and is running a packet sniffer, and IF you think they might do harm by looking at your doctor's appointments and boyfriend's phone number, THEN you might want to take precautions such as turning off WiFi until you get back home to your secure network. Otherwise, in my opinion it's not worth getting too worked up about.

Update: Google is rolling out a fix to the problem already, for all phones and computers. According to a spokesman,

"Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."

The fix is on the server side, and will fix everything except Picasa. Current authentication tokens will be erased and replaced with new ones upon logging back in to the affected service. Go go gadget, instant cloud update!

Topic: Security

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • See

    Thanks for the information and it should be patched but here is the issue, this update would probably take months if not years to reach T-mo users since they would have to test the patch and test again... with Apple location issue was fixed within a week and rolled to everyone.

    Happy with iPhone!
    Hasam1991
    • RE: The truth about the latest Google Android security scare

      @Hasam1991 "This fix requires no action from users and will roll out globally over the next few days.?

      Unlike your iphone that needs to be plug to your mac to resolve any bug. Happy w my dual core LG coming from an ex-iphone user for 3 years.
      locopollito
      • RE: The truth about the latest Google Android security scare

        @locopollito
        Right like all the other 'updates' that never made it to my phone...
        Hasam1991
      • RE: The truth about the latest Google Android security scare

        @hasam1991
        You seem to typify responders who make assertions based on no knowledge whatsoever. This is another case where you make bald.statements out of plain ignorance. Give it up until you learn something about the. Subject matter. You could be polluting innocent noobs with your nonsense.
        radleym
      • RE: The truth about the latest Google Android security scare

        @locopollito What, I have to plug my iPhone into my Mac to get the update? I'm confused, I don't have a Mac and the update is on my phone, very strange.

        Hasam's comment wasn't valid or warranted but I have a question, did Ed write a similar piece about "locationgate"? Did he write how it really wasn't an issue, that Apple was not tracking iPhones, that it wasn't exclusive to iOS and that Apple would have a fix out ASAP?
        non-biased
    • RE: The truth about the latest Google Android security scare

      @Hasam1991

      Miss this part "The fix is on the server side, and will fix everything except Picasa. Current authentication tokens will be erased and replaced with new ones upon logging back in to the affected service." ??
      noagenda
      • RE: The truth about the latest Google Android security scare

        @noagenda
        @Hasam1991 - seems like he is having a panick attack
        ukdaveg
    • RE: The truth about the latest Google Android security scare

      @Hasam1991 It would help if you actually read the article dumbass... He noted the fix is server side and new tokens will be pushed to the phone! That is the only fix and as it turns out, Gmail is not affected!
      slickjim
  • RE: The truth about the latest Google Android security scare

    This is being patched on the server today people. This isn't something which requires an update for your phone.<br><br>Good write up. Wish you could update it with the most recent information to keep the fear mongers at bay.
    Yamon
    • RE: The truth about the latest Google Android security scare

      @Yamon Done
      Ed Burnette
  • RE: The truth about the latest Google Android security scare

    Wow. Does Google really need apologists?

    tl;dr
    It's nothing, trust the advertising company.

    Presumably no-one saw mad men ;-)
    tonymcs@...
    • RE: The truth about the latest Google Android security scare

      @tonymcs@...
      "tl;dr"

      Perhaps you should have read the article. Who knows, you might have learned something.
      Theli
    • Does any company need apologists?

      @tonymcs@...
      You really should take better care of your glass house.
      John L. Ries
    • Re: Apologist?

      I'm a fan but I could point you at several unflattering articles I wrote about Google too.
      Ed Burnette
    • RE: The truth about the latest Google Android security scare

      @tonymcs@... Yes, I agree, read the article!
      slickjim
  • Google's Myopic Fanbase

    Calling the worry some might have of a packet sniffer douche bag sniffing your contacts and calendar data at just the right moment "overblown," is about the narrowest view you can take. The bigger picture is that Android now has a proven track record of being rife with malware, trojans, surprise data leaks, app con artists, rampant software piracy, and hackers. Me? Worried?
    Delvardo
    • RE: The truth about the latest Google Android security scare

      @Delvardo
      can we get a list?
      app con artists was fixed very well i thought this one is not an issue and as the artical says not just andriod any/most systems have this issue.
      ukdaveg
    • RE: The truth about the latest Google Android security scare

      @Delvardo

      Uh, you know I could do the same thing to a Mac, right? This fundamentally goes to how data is transmitted over networks. It has nothing to do with the OS. In fact, the "fix" is just always on encryption for Google apps. The real fix is to either not use a unencrypted service on an open network or make sure all of your services use always on encryption. This should have been titled, "Some Google apps allow users to take unnecessary risks(and they fixed it)" as it HAS NOTHING TO DO WITH ANDROID!
      tkejlboom
      • RE: The truth about the latest Google Android security scare

        @tkejlboom "...as it HAS NOTHING TO DO WITH ANDROID!"

        Well said, if you read the report it states the circumstances to intercept the token if you are connected to an "Evil Twin" network - http://en.wikipedia.org/wiki/Evil_twin_%28wireless_networks%29.
        ALL devices connected in this scenario would be at risk!
        The report does not put a lot of emphasis on this.
        Perhaps the the researchers at University of Ulm are Apple Fanboys.

        There is a great irony here, you can setup a an "Evil Twin" network with Android.
        Install Shark Native (from Android Market).
        Setup your device as a Wireless Access Point and start Shark.
        Start "sniffing" and away you go.....
        @...
  • RE: The truth about the latest Google Android security scare

    Correct me if I'm wrong, Ed, but the Auth tokens are cross-compatible between any Google apps - i.e. you can use the auth token from Calendar and log into Gmail.
    archon810