Single Android flaw can be used to target entire enterprise

Google's Android "weblogin" feature may be simple and quick to use, but researchers say it can be used to take down an entire system of applications.
Written by Charlie Osborne, Contributing Writer
1credit cnet
Credit: CNET

A security researcher exploring the weak links in Google's Android ecosystem says that a single feature can be used to take down a plethora of business applications -- and ignore two-step verification entirely.

Speaking at the Def Con 21 hacking conference, senior security researcher at Tripwire Craig Young said he is able to "fully compromise Google Apps" using only one feature. The weak link? The "weblogin" token that allows Android users to sign once for all Google-based services, as reported by Dark Reading.

Does Android trade security for convenience? Young believes so. Rather than using passwords, the feature basically uses cookies -- but if an attacker gains access to the domain control panel, then havoc can ensue. Once breached, a hacker could reset passwords, download files from Drive, disable two-step verification, modify user roles and create mailing lists -- potentially full of spam or malicious content.

Access can be granted physically -- if a device is already logged in using tokens -- or through root exploits, chip-off forensics or most commonly, malware. If a systems administrator with access to the domain control panel has a compromised mobile device and is running malicious applications unwittingly, then it may only be a matter of time before the log-in system is used to steal data, download files or reset account passwords.

The researcher's findings should make businesses sit up and take note, especially considering recent Trend Micro data which says the rate of malicious applications being uploaded into the Google Play store has jumped by 40 percent in the past several months. Dodgy applications found in the Android ecosystem rose to 718,000 at the end of the second quarter, in comparison to 509,000 in the first quarter of this year.

In an interview with the publication, Young said:

"The reason I [went] with this token research is I bought an Android tablet about a year ago and realized Chrome auto-signed me into Google's websites, which made me very unhappy. At that time, I hadn't realized Google Apps control panel was exposed this way, too: it was a real revelation. I had used Google Apps domain for a while now, and had always logged in using that admin account."

Young says the best ways to protect yourself and your business against such threats is to remain vigilant when receiving token requests, run antivirus software to seek out root exploits, and only purchase or download applications from trusted sources.

"Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their phones. If they do, then they need to enter a password," Young says.

For more information, view Young's presentation slides (.pdf).

Via: Dark Reading

Editorial standards