A trio of German security researchers from the University of Ulm have looked into the question of whether “it was possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs (application programming interface).” In other words: We are so hosed.
The problem is in the way that applications which deal with Google services request authentication tokens . These tokens are sometimes not even encrypted themselves and are good, in some cases, for up to two weeks. All a hacker has to do is grab these off an open Wi-Fi connection and you have the “key” to someone’s Gmail account, their Google calendar, or what have you.
It’s not just limited to Android apps though. The researchers also report that “this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS.”
Grabbing this information off the air is trivial. While it’s not as easy as using Firesheep to hi-jack a Web session, anyone with a lick of hacking talent and a network protocol analyzer such as WireShark can grab your tokens. With those in hand they can then change your Google passwords or do anything else they want with your various Google accounts.
Google, the Android smartphone and tablet makers, and the telecoms must fix this. Now.
While Android 3.x and Android 2.3.4 require the Google Calendar and Contacts apps to use the more secure HTTPS for their connections, your devices are very unlikely to currently have either one. The vendors must push out these updates sooner rather than later. In addition, Google needs to require all its ClientLogin requests to be made over secure connections. Developers should switch from ClientLogin to Oauth or some other more secure user authentication routine.
What can you do as an Android user? Well, as you wait for your vendor to update your device to Android 2.3.4, you can make a habit of not using any open Wi-Fi network.
That’s often easier to say than to do. In that case, I recommend that you either user your corporate VPN or look into setting up a Virtual Private Network (VPN) to call your own. This used to be something only a network administrator should try, but lately it’s become much easier to set up a small business, or even home, VPN server.
Fortunately, you shouldn’t need to add any software to your Android device to get it to work with your VPN. Android comes with its own built-in VPN software. This software supports most of the common VPN protocols. You’ll find it on your Android device under Wireless and Network settings/VPN Settings/Add VPN.
There are also VPN Android programs, such as 1 VPN and NeoRouter for Android, but you should try using Android’s built-in VPN setup mechanisms first. If that proves a little too difficult for you, then try one of these programs.
The real answer, of course, needs to come from Google, the hardware vendors, and the telecoms. Google’s Android developers need to improve security in their latest operating systems and patch the older versions of Android to handle the tokens securely. In turn, the vendors and telecoms need to ship the latest versions of Android, with security patches, to users as soon as possible. Until they do, it’s only a matter of time before users start losing important information through this hole to data thieves.
Related Stories:
99.7% of all Android smartphones vulnerable to serious data leakage
But, seriously anyone with a Network+ level of network experience could do it easily.
