99.7% of all Android smartphones vulnerable to serious data leakage

99.7% of all Android smartphones vulnerable to serious data leakage

Summary: A whopping 99.7% of Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud, so claim German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.

SHARE:

A whopping 99.7% of Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud, so claim German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.

The problem is in the way that applications which deal with Google services request authentication tokens. These tokens are handy in that they eliminate the need for the user to login to the service, but as the researcher discovered these tokens are sometimes sent in plaintext form over wireless networks. This means that anyone who happened to be eavesdropping on the WiFi network could grab these tokens.

What's worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another.

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

To make matters worse, tokens are valid for a long period of time (14 days for Calendar tokens), which means that someone grabbing your token could have two weeks worth of access to your data.

Grabbing these tokens would be trivial:

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

So, if you rely on your Android handset and Google services to get your work done, what can you do? The researchers offer up three suggestions:

  • Upgrade your handset to Android 2.3.4 which offers HTTPS for Google Calender and Contacts sync. However, you may have to wait weeks or months for this update from your carrier, or worse still you may never see it (Like Verizon customers, who are stuck on Android 2.2.2 despite the fact that it contains multiple known vulnerabilities). - NOTE: This update still leaves Picassa Sync vulnerable.
  • Switch off automatic sync when using open WiFi.
  • Better still, avoid using affected apps on open WiFi connections.

Seems like Android and Google together aren't doing a good job of protecting user's data.

Topics: Mobility, Hardware, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • Yes a serious issue if you use unencrypted WiFi connections...

    ....non-issue if not!<br><br>If you want to use public wifi like BT Openzone then I'd suggestimg downloading their app which connects you to THEIR hotspot and not a copy cat.<br><br>This is big issue as non-techy people will be the victims here as usual!<br><br>

    ~~ EDIT ~~

    Removed fanboism!

    Also as tk_77 points out below, encrypted networks are still vulnerable when they hit the wires at the router end.
    DevJonny
    • WiFi is only part of the path...

      @DevJonny <br><br>And what if someone is packet sniffing on the network the WiFi connects to? Sure, the connection between your device and the WiFi AP can be encrypted, but after that the data will be in the clear between the AP and all the networks enroute to Google.
      tk_77
      • Good point, I didn't think about the wired part of it!

        @tk_77 <br><br>I love Android but I'll hold my hand up when some points out something I've missed like this.
        DevJonny
      • RE: Good point, I didn't think about the wired part of it!

        @DevJonny

        True that general sniffing puts anyone at risk, but then again thats where an SSL connection to Google will come in handy, as it will then encrypt the token no matter how you connect to the network. (of course you can argue the true security of SSL, but at that point you can really argue the security of just about anything over a network)

        It's not often that someone will admit they missed something (especially when it comes down to Google/Apple related things). For that, I've removed part of my post to be less harsh.
        tk_77
      • @tk_77

        @tk_77

        The only way to be truely secure is go offline, and lock your phone away in a safety deposit box I guess!

        I agree, all communications (regardless of triviality) should use SSL, especially something as important as Authentication tokens. But as the article suggests I believe they do with Android 2.3 (good news for me).

        Thanks, I do try to admit when I'm wrong especially when faced with conclusive evidence!
        DevJonny
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @DevJonny Why is it when ZDNet puts out an article that says the least little thing bad about Android you fandroids are always complaining about the Android Haters? You are just as bad as the WP7 die hards and the Apple fanbois... give the fanboyism a freaking rest already.

      You are right in that it will be the non techie users who will be the victims of this - and with Android's adoption rate it is quite likely there are more non techie Android users than techie Android users.
      athynz
      • Yes, I was being fanboyish. But...

        @athynz <br><br>...you can't deny that there will be hoards of fanbois from the other camps swarming all over this! I've edited my post!<br><br>At least I admit when there is an issue, and this is an issue, especially taking into account what tk_77 said.
        DevJonny
      • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

        @DevJonny
        What are you the great platform defender? So flippin' what man!?
        jessiethe3rd
      • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

        @DevJonny [b]...you can't deny that there will be hoards of fanbois from the other camps swarming all over this![/b]

        No, that I cannot deny at all... all the haters and fanbois will have something to say about this. And despite being the iOS proponent that I am this issue directly affects me since I'm running a rooted NookColor with Froyo... the Nook was a lot cheaper than an iPad and since I own an iPhone 4 the iPad IMHO would be kinda redundant.

        Hopefully there will be a simple fix for my Cyanogen mod.
        athynz
      • @jessiethe3rd Yes I am! Did you miss my election campaign?

        :)
        DevJonny
      • @athynz I believe Cyanogen have already fixed / are fixing this

        :)
        DevJonny
      • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

        @athynz

        That number is clearly skewed to non-techies now. The sales for the Samsung Galaxy phones is through the roof.
        chrlsrchrdsn
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @DevJonny

      Three quarters of people using the phones have no idea what you said there. You program to your customers and if the majority of you customers wouldn't know about the difference you add encryption to your ID tokens. A little extra security NEVER hurts.
      chrlsrchrdsn
  • I think the point is that

    @mantrik00
    yes, you're absolutelly right, anything can be hacked.
    But it's a little different when the device is "giving "the data away, as it sounds like it's doing here.

    It'll get fixed and that'll be the end of it.
    Will Pharaoh
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @Will Pharaoh No it really isn't, Facebook hands away your data as the site is not set for https by default so any device connecting on an open network is open to this, it doesn't matter if it is Android, iOS or Crackberry.
      slickjim
    • Since most of 344 Android devices will ***NEVER*** get any update, there ..

      @Will Pharaoh: <b>will be no end of it.</b>

      And even these devices which will get updates, will get them <b>half year or even full year later</b> -- all of that time being vulnerable.
      DDERSSS
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @Will Pharaoh

      "Maybe this is one of those battle between Facebook and Google???" Paying the author to write up an article to trash the other party???"
      linux4guru
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @Peter Perry Facebook offers to give you HTTPS seemingly at random...but then when those stupid games that the majority of FB users play are clicked on, it says "sorry, you have to lose your security to play our games, don't worry though, NEXT TIME YOU VISIT you'll be safe again!"

      Since most of the people I know who use Facebook (of which I proudly am not one) play the games and use the apps on there, that means that the HTTPS support added to Facebook and offered up to users with an ominous "you aren't secure!" warning is largely useless.
      cryptikonline
    • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

      @Will Pharaoh It's not giving the data away any more than doing anything else on an unsecured wifi network ffs. It doesn't take a computer scientist to know that doing anything on an unsecured wifi network gives away data.
      snoop0x7b
  • RE: 99.7% of all Android smartphones vulnerable to serious data leakage

    @mantrik00 Despite me being an iPhone fanboy, I agree 100%. These are facts that everyone already knew. You either know how to protect yourself or you don't, plain and simple.
    Bates_