Android's Personal Data Leakage Problem

Illustration for article titled Android's Personal Data Leakage Problem

I own an Android. You own an Android. Heaps of people own Androids. But apparently 99 per cent of them can be easily attacked, every time we log into a website on an unsecured network.


This is according to researchers at the University of Ulm, in Germany, who found that any phones running a version of Android prior to 2.3.3 are vulnerable to an attack thanks to a weak ClientLogin authentication protocol. Any time an Android user signs into a service such as Twitter, Facebook or a new Google account, the authToken information is stored for 14 days, and accessible if you know how to go about it, claim the researchers:

"To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks...With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing."

The team feigned an attack, and found it was "quite easy to do so." Gulp. The reason 99 per cent of the Android handsets in existence are said to be vulnerable to such an attack? It's because any phone not running Android 2.3.4, which Google released a few weeks ago, hasn't had the security hole patched yet.

While a fix from Google would solve this problem, Android users are recommended to only use ClientLogin on https sites for now. [Uni-Ulm via The Register]



So what you are saying is that only people who have default network SSID are vulnerable? And that anybody with a sniffer sitting in real starbucks would be able to capture those packets anyway? And that you shouldn't be doing anything you don't want copied over an unencrypted/unsecured connection anyway?

Good thing I already rename them to something other than the default, so that I don't get hacked with a RainbowTable attack over WPA then. And when I use those unsecured points, I always delete them again afterwards because they clutter up my list of network names.

So, in reality—it is really far less than 99% of Android users.

PHEW! For a second there, I was almost sure that it was a real danger and not just people being stupid again.