Single Android flaw can be used to target entire enterprise

Single Android flaw can be used to target entire enterprise

Summary: Google's Android "weblogin" feature may be simple and quick to use, but researchers say it can be used to take down an entire system of applications.

1credit cnet
Credit: CNET

A security researcher exploring the weak links in Google's Android ecosystem says that a single feature can be used to take down a plethora of business applications -- and ignore two-step verification entirely.

Speaking at the Def Con 21 hacking conference, senior security researcher at Tripwire Craig Young said he is able to "fully compromise Google Apps" using only one feature. The weak link? The "weblogin" token that allows Android users to sign once for all Google-based services, as reported by Dark Reading.

Does Android trade security for convenience? Young believes so. Rather than using passwords, the feature basically uses cookies -- but if an attacker gains access to the domain control panel, then havoc can ensue. Once breached, a hacker could reset passwords, download files from Drive, disable two-step verification, modify user roles and create mailing lists -- potentially full of spam or malicious content.

Access can be granted physically -- if a device is already logged in using tokens -- or through root exploits, chip-off forensics or most commonly, malware. If a systems administrator with access to the domain control panel has a compromised mobile device and is running malicious applications unwittingly, then it may only be a matter of time before the log-in system is used to steal data, download files or reset account passwords.

The researcher's findings should make businesses sit up and take note, especially considering recent Trend Micro data which says the rate of malicious applications being uploaded into the Google Play store has jumped by 40 percent in the past several months. Dodgy applications found in the Android ecosystem rose to 718,000 at the end of the second quarter, in comparison to 509,000 in the first quarter of this year.

In an interview with the publication, Young said:

"The reason I [went] with this token research is I bought an Android tablet about a year ago and realized Chrome auto-signed me into Google's websites, which made me very unhappy. At that time, I hadn't realized Google Apps control panel was exposed this way, too: it was a real revelation. I had used Google Apps domain for a while now, and had always logged in using that admin account."

Young says the best ways to protect yourself and your business against such threats is to remain vigilant when receiving token requests, run antivirus software to seek out root exploits, and only purchase or download applications from trusted sources.

"Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their phones. If they do, then they need to enter a password," Young says.

For more information, view Young's presentation slides (.pdf).

Via: Dark Reading

Topics: Mobility, Android, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Charlie

    I'm seriously starting to think you draw a paycheck from microsoft. you have 2-4 of these FUD stories a week and all of them have comments from all the usual microsoft shills... pathetic. journalism at its worst. i actually used to like some of your articles
    • misrepresentation

      "... The researcher's findings should make businesses sit up and take note, especially considering recent Trend Micro data which says the rate of malicious applications being uploaded into the Google Play store has jumped by 40 percent in the past several months. ..."

      The Trend Micro report DOES NOT say that the malware rise is IN the Google Play store.
      Please don't make that assumption when you read these 3rd party AV scanner reports.
      Charlie, you are creating chinese whispers with the FUD.
    • censorship here!!!

      here is also censorship when you want to defend Android and show the proofs about Windows' or Apple's security

      1) install from play store = no malware, no a threat
      2) Windows = backdoor by NSA....use as you wish
      3) Apple = the poorest security in the word according to stats = there was a time you could get root of iPhone by just visiting a website, articles "iPhones most vulnerable among smartphones", "40% of iOS popular apps invade your privacy without any permission."
  • OK, so what the researcher is basically saying

    there's no way to exploit this right now, but there COULD be someday, and if it happened, it would be REALLY BAD. There are a lot of things in this world that COULD happen someday, and if they did it would be REALLY BAD.

    I'm not a fandroid by any means, but seriously, folks, I'm supposed to get all in a lather over this?
    • One more thing

      He's browsing the Internet, participating in Google+ and logging into multiple websites - on the Google Apps administrator account. This is the same as doing the same thing while logged in as a Windows Domain administrator: so ignorant of best practice that it is not credible.
    • not exactly

      This can be actively abused in many ways. One option is to use an android app like I made. Alternatively windows or osx malware would do the trick if a user signs into Chrome.
  • LOL

    No surprising considering ANdroid is Linux based. You won;t find these flaws in Windows.
    Nick Thompson
    • LOL Nope

      Nope, you just find OTHER flaws in Windows.

      Every platform has vulnerabilities.
    • No you're right

      It was a totally different problem that exposed your entire network via WP phones.
      Little Old Man
    • Clearly you have no idea

      What you are talking about. Linux systems have features built into the kernel that make Linux Distros inherently more secure than Mac OS X and Windows (such as the inability to install ANYTHING without a root/admin password). Some Distros and projects (like Android and Ubuntu) don't use all of those features, but that is unique to them NOT to all Linux. The built-in iptables, ACLs, and SELinux security measures and coupled with rsyslog/syslog-ng, Puppet/Chef, and Monitoring Linux outstrips Windows Security any day.
      • Re: Clearly you have no idea


        Your previous post was more valid, this one is not.

        First, you can install and run software on Linux without having any elevated (or even root) privileges. This is actually the preferred way of doing it. Unfortunately, it is not done for various reasons.

        Second, both OS X and Windows do provide mechanisms to protect the OS -- differently of course.
        OS X, as an certified UNIX system offers the same security measures found in Linux, plus some more. In addition, by default OS X does not require administrator privileges for users to install application software. Which is the correct thing to do -- and both Linux and Windows should use that model. On OS X you only need administrator privileges if you need to install software that must run with elevated privileges, or install shared software components.

        Windows, although having all the required infrastructure, by default grants (transparent) administrator privileges to the "user" - this is done for "convenience" which unfortunately leads to glaring holes in Windows security. Further, most of Windows is extremely buggy and elevated privileges can be obtained much easier than on other platforms.

        In summary, all these operating systems provide the toolkit to make the system more secure. However only Apple with OS X has actually made sensible defaults. Properly tuning Linux can make is just as secure as OS X and Windows... requires much more work to be kept secure, at some level at least.
    • troll or joke?

      MS have several of the most security flawed apps in history.. Where are we up to overall in IE now? must be hundreds of thousands of flaws in that app alone. Now add Outlook and IIS to the list.
  • This "flaw" is actually two flaws

    First flaw: Google Apps allows access to the admin page without prompting the user for the passcode every time. This can be easily fixed server-side by requesting a login each time the user navigates to the page.

    Second flaw: Malicious apps can get access to your personal secrets, including your weblogin token. This is not a new flaw, and compromises all your secrets, not just enterprise data.

    The second flaw cannot be easily fixed. Between the awful OS upgrade story on Android, and the lack of control over apps that are available for end users to install, this flaw is part and parcel of the Android experience.
    • Your second flaw is not an Android problem

      Malicious apps exist for every OS, because anybody that decides to write a malicious app can do it.
  • Escalation in the enterprise

    The concept of escalation of rights has long existed. Once someone with ill intent gets into the enterprise, via software flaw, social engineering, etc., they can usually figure out a way to escalate their rights to enterprise level. This concept is platform independent. It doesn't matter if it starts with a windows PC with a keylogger installed or an Android with a compromised weblogin, the result will be the same.
    Craig Herberg
  • Fandroid/google apologists

    will be out in force today. They always try to make it about someone else's OS.
    • ...

      in fact if you read just about any zdnet article... it's always owlllllllllllllllllllllllnet (each 'l' being another shill account he owns) that has something to say about other operating systems, usually windows. anybody that knows what they're talking about (android fan or not) knows that all these stories are just FUD made up to scare people into not buying google or linux products. It's pure garbage.
  • Single Android flaw can be used to target entire enterprise

    After reading this news I'm going to email the top 3 at the company and have them block android immediately. Somewhere between the android flaw and the other article about it having more malware than anything else it won't be hard to convince them.
    • Wait. Loverock-Davidson.

      You haven't done this already? I should think -you- send that email -every- day.
    • It's still FUD

      Just because more malware exists doesn't make a platform bad... all it says is that the platfor is popular (Windows anyone?). I have been using Android at home and at work for 4 years and never had malware issues at all. Same for my Wife, simply put, Android Malware is much more prevalent when installing apps from an unknown store or a user not researching the app they want to download (not that hard - look at reviews, # or reviews, company name, description, etc).

      In my experience in IT, 90% of all Malware issues we face is due to users making poor and/or uneducated choices that STEM from unrealistic expectations about what technology can/should be able to do.