Android has a gaping network security hole

Android has a gaping network security hole

Summary: Yes, 99.7% of all Android devices really are "potentially" vulnerable to data leaks. Here's what you can do about it today.


A trio of German security researchers from the University of Ulm have looked into the question of whether "it was possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs (application programming interface)." In other words: We are so hosed.

The problem is in the way that applications which deal with Google services request authentication tokens . These tokens are sometimes not even encrypted themselves and are good, in some cases, for up to two weeks. All a hacker has to do is grab these off an open Wi-Fi connection and you have the "key" to someone's Gmail account, their Google calendar, or what have you.

It's not just limited to Android apps though. The researchers also report that "this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS."

Grabbing this information off the air is trivial. While it's not as easy as using Firesheep to hi-jack a Web session, anyone with a lick of hacking talent and a network protocol analyzer such as WireShark can grab your tokens. With those in hand they can then change your Google passwords or do anything else they want with your various Google accounts.

Google, the Android smartphone and tablet makers, and the telecoms must fix this. Now.

While Android 3.x and Android 2.3.4 require the Google Calendar and Contacts apps to use the more secure HTTPS for their connections, your devices are very unlikely to currently have either one. The vendors must push out these updates sooner rather than later. In addition, Google needs to require all its ClientLogin requests to be made over secure connections. Developers should switch from ClientLogin to Oauth or some other more secure user authentication routine.

What can you do as an Android user? Well, as you wait for your vendor to update your device to Android 2.3.4, you can make a habit of not using any open Wi-Fi network.

That's often easier to say than to do. In that case, I recommend that you either user your corporate VPN or look into setting up a Virtual Private Network (VPN) to call your own. This used to be something only a network administrator should try, but lately it's become much easier to set up a small business, or even home, VPN server.

Fortunately, you shouldn't need to add any software to your Android device to get it to work with your VPN. Android comes with its own built-in VPN software. This software supports most of the common VPN protocols. You'll find it on your Android device under Wireless and Network settings/VPN Settings/Add VPN.

There are also VPN Android programs, such as 1 VPN and NeoRouter for Android, but you should try using Android's built-in VPN setup mechanisms first. If that proves a little too difficult for you, then try one of these programs.

The real answer, of course, needs to come from Google, the hardware vendors, and the telecoms. Google's Android developers need to improve security in their latest operating systems and patch the older versions of Android to handle the tokens securely. In turn, the vendors and telecoms need to ship the latest versions of Android, with security patches, to users as soon as possible. Until they do, it's only a matter of time before users start losing important information through this hole to data thieves.

Related Stories: 99.7% of all Android smartphones vulnerable to serious data leakage

Most Android devices vulnerable to identity theft

Connect to a PPTP VPN from your Android phone

Topics: Smartphones, Android, Google, Hardware, Mobile OS, Mobility, Networking, Security, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's not quite THAT big a hole

    I actually scraped a layer of paint off of the hull of the ship I sailed thru it, so it's not quite as big as everyone is claiming.
    Will Pharaoh
    • RE: Android has a gaping network security hole

      @Will Pharaoh

      Just checking, but I'm pretty sure this is exactly the same giant whole in which PCs, iPhones, and every single other device which transmits unencrypted ethernet packets falls. It is a strong argument for why it completely unethical for service providers to hold up updates, however.
      • RE: Android has a gaping network security hole

        @tkejlboom you wouldn't be questioning who paid for this to be discovered would you? This is nothing like Facebook paying a PR company to find flaws with Google, oh no it isn't
      • RE: Android has a gaping network security hole

        @tkejlboom very true, but they still do it :/
      • RE: Android has a gaping network security hole


        I would like to see the author of the article address your point: PC, iPhone of every stripe, do they have a similar problem? I think the title of the article says a lot; there is more heat than light in the article.
      • RE: Android has a gaping network security hole

        @tkejlboom How is that relevant to the issue involving Android? Are you really such an insecure Google fanboy that you'll bring up an irrelevant point to defend Google/Android?

        We know PCs and Macs have security holes. But that has nothing to do with the article at hand. The article is about Android.
    • RE: Android has a gaping network security hole

      @Will Pharaoh lol
    • RE: Android has a gaping network security hole

      <a href="">Destination Wedding dresses</a>
      This is a great article thanks for sharing this informative information. I will visit your blog regularly for some latest post.
  • RE: Android has a gaping network security hole

    "anyone with a lick of hacking talent and a network protocol analyzer such as WireShark can grab your tokens."

    I guess that excludes the entire staff at ZDNET Huh? =D
    • RE: Android has a gaping network security hole

      @Peter Perry Well, I could certainly do it in my sleep. :-) But, seriously anyone with a Network+ level of network experience could do it easily.

    • RE: Android has a gaping network security hole

      @Peter Perry Really, this is a non issue for you (I do kind of agree) but you had such outrage at Apple because past location information was stored on the phone and in the back on the PC? Your Fandroid status has risen so quickly as of late, are you know the poster boy for them?
  • RE: Android has a gaping network security hole

    It's so Google can sniff your data.
    The one and only, Cylon Centurion
  • Google needs to use their vast experience

    of breaking into people personal computers and apply a suitable defense for their Android system. But Google would rather rush this crappy system out so they can make a quick buck off you instead.
    • RE: Android has a gaping network security hole

      [citation needed]
    • RE: Android has a gaping network security hole

      @iPad-awan It should be noted that in all of these so-called Android security problems, the bug has been fixed in Android before problems arise but mobile carriers just don't ship the update.
      • RE: Android has a gaping network security hole

        @tomdwright While maybe true how does that help all the Android users out there? Don't know the details or if it is the same story but there was something on the news last night about a new security issue on Android phones. They said Google promised a fix within a few days. My thought was great job Google in getting the fix but too bad for all the users who don't get updates.
  • RE: Android has a gaping network security hole

    Android devices affected are not just smartphones with Froyo, there are many tables out there like Samsung Galaxy tablet which comes with Froyo, I think phone carriers and hardware manufacturers selling Froyo OS Android version should send their devices back to Google and they should fix them, the carriers and hardware companies are not the problem it is Google's fault.
    Gabriel Hernandez
    • RE: Android has a gaping network security hole

      @Gabriel Hernandez Don't the carriers have to test and approve any change before it can be rolled out to the devices on their networks?
    • It would be appropriate punishment for Google for creating such fragmented

      @Gabriel Hernandez: ... system, but the scale of recall of like 95% of 344 Android-powered devices will be too much for Google to bear willfully (even though financially they are fully capable of bearing such expenses).

      So no, nothing like this will happen and like 320 Android-powered models will be vulnerable for half year or year before 2.3.4 update, or forever, since most of these models will be never updated at all.
      • It's a free OS dude...


        Google doesn't need to recall anything... They gave it away for free, as is, no promises... Ultimately, the wannabe phone makers and the carriers are responsible for the software they put on the wannabe phones they slapped together and sold to the masses of fools.

        Google doesn't care... They don't screen Roid apps for malware, what makes you think they screen anything including the OS they give away for free?

        It's actually kinda ironic... A big stinking swollen security hole in the Roid OS... LOL Who couldn't see that one coming... LOL