A whopping 99.7% of Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud, so claim German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.
The problem is in the way that applications which deal with Google services request authentication tokens. These tokens are handy in that they eliminate the need for the user to login to the service, but as the researcher discovered these tokens are sometimes sent in plaintext form over wireless networks. This means that anyone who happened to be eavesdropping on the WiFi network could grab these tokens.
What's worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another.
The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.
To make matters worse, tokens are valid for a long period of time (14 days for Calendar tokens), which means that someone grabbing your token could have two weeks worth of access to your data.
Grabbing these tokens would be trivial:
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.
So, if you rely on your Android handset and Google services to get your work done, what can you do? The researchers offer up three suggestions:
- Upgrade your handset to Android 2.3.4 which offers HTTPS for Google Calender and Contacts sync. However, you may have to wait weeks or months for this update from your carrier, or worse still you may never see it (Like Verizon customers, who are stuck on Android 2.2.2 despite the fact that it contains multiple known vulnerabilities). - NOTE: This update still leaves Picassa Sync vulnerable.
- Switch off automatic sync when using open WiFi.
- Better still, avoid using affected apps on open WiFi connections.
Seems like Android and Google together aren't doing a good job of protecting user's data.