Whenever applications on an Android device need to communicate with Google services like Google Calendar, they receive an authentication token so the user does not have to re-enter his login information within a certain timeframe. But what the University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub discovered is that sometimes the information is transfered in plain-text over wireless networks. That means if a hacker is looking to steal login data, he could find a way to capture those plain-text authentication tokens so he could pose as a legitimate user to access other devices or services. After all, there is a single login across Google's products -- from Gmail to Google Checkout -- and all the data is in the cloud so the information will function across platforms.
Researchers ran tests on the following Android devices and Google products: Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services).
Some of their findings include:
Until Android 2.3.3 the Calendar and Contacts apps transmit any request in the clear via http and are therefore vulnerable to the authToken attack. This affects 99.7% of all Android smartphones (stats from 2nd of May 2011). Since Android 2.3 the Gallery app provides Picasa Web Albums synchronization which is also not encrypted.
Since Android 2.3.4, the Calendar and Contacts apps are using a secure https connection. However, the Picasa synchronization is still using http and thus is still vulnerable.
Our sniffed authTokens were valid for several days (14 days for a sniffed Calendar authToken), which enables adversaries to comfortably capture and make use of tokens at different times and locations.
Put simply, problems could arise from hackers changing an unsuspecting person's password, to gaining access to sensitive emails and private photos.
According to the BBC article, "Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software."
So the best way to arm your Android devices from identity theft is to update the OS to version 2.3.4, which is an upgrade on Gingerbread. Officially, this update is only available for the newest handsets like the Google Nexus S and Nexus S 4G and not intended for older Android devices. Hopefully Android will work on an update for all devices to plug this security hole soon.
For related ZDNet coverage: