Most Android devices vulnerable to identity theft

Most Android devices vulnerable to identity theft

Summary: Your login on your Android devices could be stolen by hackers on wireless networks, according to German security researchers. Unless you have Gingerbread.

TOPICS: Mobility, Hardware

German security researchers have found a vulnerability with how Android devices handle login information when accessing Web-based services like Gmail, according to the BBC.

Whenever applications on an Android device need to communicate with Google services like Google Calendar, they receive an authentication token so the user does not have to re-enter his login information within a certain timeframe. But what the University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub discovered is that sometimes the information is transfered in plain-text over wireless networks. That means if a hacker is looking to steal login data, he could find a way to capture those plain-text authentication tokens so he could pose as a legitimate user to access other devices or services. After all, there is a single login across Google's products -- from Gmail to Google Checkout -- and all the data is in the cloud so the information will function across platforms.

Researchers ran tests on the following Android devices and Google products: Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services).

Some of their findings include:

Until Android 2.3.3 the Calendar and Contacts apps transmit any request in the clear via http and are therefore vulnerable to the authToken attack. This affects 99.7% of all Android smartphones (stats from 2nd of May 2011). Since Android 2.3 the Gallery app provides Picasa Web Albums synchronization which is also not encrypted.

Since Android 2.3.4, the Calendar and Contacts apps are using a secure https connection. However, the Picasa synchronization is still using http and thus is still vulnerable.

Our sniffed authTokens were valid for several days (14 days for a sniffed Calendar authToken), which enables adversaries to comfortably capture and make use of tokens at different times and locations.

Put simply, problems could arise from hackers changing an unsuspecting person's password, to gaining access to sensitive emails and private photos.

According to the BBC article, "Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software."

So the best way to arm your Android devices from identity theft is to update the OS to version 2.3.4, which is an upgrade on Gingerbread. Officially, this update is only available for the newest handsets like the Google Nexus S and Nexus S 4G and not intended for older Android devices. Hopefully Android will work on an update for all devices to plug this security hole soon.

For related ZDNet coverage:

[Source: University of Uulm blog via BBC]

Topics: Mobility, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Updates are thing to wait forever on most of 344 varios Android-powered

    models. In fact, most of these devices will be never updated to anything, much less to 2.3.4 version of OS. The rest will be updated, but this might take like half year or full year (!).

    Open versus closed = fragmented versus integrated approach.
    • RE: Most Android devices vulnerable to identity theft

      @denisrs Sadly you're wrong. Straight up 'factually' wrong.<br><br>Perhaps you should poke around and do some homework <br><br>Oh, and this is being fixed right now ... on a server not on the handset. This is an all out problem in ANY application which uses this method to auth. Not just a phone. <br><br>FUD PEOPLE FUD
  • RE: Most Android devices vulnerable to identity theft

    One thing that's not fragmented about Android is the fact that the Android platform is a big data security risk.
    • RE: Most Android devices vulnerable to identity theft


  • Where is DonnieBoy?

    Conveniently silent!
    Ram U
    • My guess is he's over at the Nexus S blog

      Trying to come up with an "explanation" as to why Google's flagship phone isn't up to snuff compared to other Android phones.

      Then he'll cut and paste his usual "WP7 comment" at the end of his reply. ;)
      Will Pharaoh
  • RE: Most Android devices vulnerable to identity theft

    What doesn't seem to be mentioned in this article is that this hack only works if the victim is using an unsecured WiFi network. So yes, it can happen, but not nearly as widely as you might expect.
    • RE: Most Android devices vulnerable to identity theft


      I seem to recall Google 'finding' quite a few unsecured WiFi routers a while ago. How many end users do you think have subsequently fixed that?
    • RE: Most Android devices vulnerable to identity theft

      @bschorr Oh, well then I guess this hole is OK.
      I like coffee.
  • RE: Most Android devices vulnerable to identity theft

    This is a non-issue... Here's why...

    First, I don't know of a single user that uses their phones to connect to public wifi hot spots so this is a Joke! This is never going to be exploited anywhere!

    What is the worst thing that is going to come out of this?

    Worst case, Google Patches this particular piece of the OS from 2.0 through 2.3.3... Best Case, the vendors roll out 2.3.4 or 2.4 to all the Smart Phones over 1 GHz, which is 90% of the Android Phones anyway.

    Of course, as some said, don't use open wifi networks if you value your privacy anyway and that goes for all computing devices period!

    Now, if a user is using their own WIFI network with a phone and it is wide open, this is on the user for being stupid enough to leave it wide open!
    • RE: Most Android devices vulnerable to identity theft

      @Peter Perry Since you don't know anyone who uses public wifi, that means nobody does? And have you been keeping up on the track record of Google updates making it to phones? It isn't good.
      I like coffee.
    • RE: Most Android devices vulnerable to identity theft

      @Peter Perry

      You really should get out more.
  • RE: Most Android devices vulnerable to identity theft

    All these androids phones are all battery eaters. they suck and cant even last a whole day. Also i knew these android or iphones are not very secure phones. Glad I stick to Windows phone 7 they are more secure and no tracking locating file like iphone has LOL.... Just because they have these apps all these dumb dumb people dont even know there phones are not very secure.
    • WP7 users are more secure because... ;-)

      @ipadsucks <br><br>probably less than 1% of smart phone users are using WP7 phones. Nobody wants to write an exploit for an OS that has less than 1% of the market.<br><br>The rest of the market belongs to Apple iOS, Android and Blackberry.
      Solid Water
      • RE: Most Android devices vulnerable to identity theft

        @Solid Water

        So why wouldn't you buy WP7?
  • RE: Most Android devices vulnerable to identity theft

    Just as an fyi....
    the Nexus One updates fine to the latest version....
    Runs great on mine :D
    • RE: Most Android devices vulnerable to identity theft

      @rhonin The LG I gave up in March is still waiting for it. I have friends who kept their Androids and they're over a year without updates, thought they were suppose to get them for 18 months.
      I like coffee.
  • RE: Most Android devices vulnerable to identity theft

    Umm, GMail was NOT applicable to this issue.

    Shotty reporting at best here.
  • RE: Most Android devices vulnerable to identity theft

    Well it doesn't make me feel secure knowing that i had an error and only now it will be fixed. It also reminds me of the Intel and AMD processor bugs they had and they only knew about it after they sold a few million models or so .... Why don't you guys inspect your merchandise better before actually selling it to consumers ?
    You know, the consumers are the ones who pay and suffer the consequences because of your little mistakes.. .