99% of Android Handsets Open to Information Theft

Alright, so quick poll: how many out there are running Android 2.3.4? According to data released the answer should be about 1%, and more importantly, according to The Register, the other 99% of us are quite vulnerable to information theft. The UK based publication says that potential hackers steal authentication tokens that the Android device sends to various websites or accounts for security clearance. Care to know how you can be attacked? Check in after the break.

The research was done by the University of Ulm, who found that the exploit is due to incorrect use of ClientLogin, an authentication protocol used by the Android operating system. The hole is patched, however, with Android 2.3.4, great for those 1 percent-ers out there. So how does the hack work? “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.” Sounds pretty complicated, right? Actually it’s not. The article continues, “To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

All in all, this is some pretty bad news for Android users and is yet one more reason why Android’s version fragmentation needs to be brought under control oh so quickly. It’s one thing when you’re talking about software features, but software security is just something you can’t mess with, particularly when you’re talking about personal information. If there’s one area that Google needs to get under control, this is it.

[via BGR]


About the Author: Mitch Wright

Witnesses at Mitch Wright’s birth claim that he came out as a mechanical cyborg beast, who then decimated the doctors in the room with a violent laser blast. Naturally, these witnesses are insane. Mitch was born in Texas, grew up in central New Jersey, and then moved back to Texas, where he met his spectacularly awesome wife. He currently works as a repair tech for Major National Carrier, where he is able to fulfill his love for gadgets by taking phones and PDAs apart and (hopefully) fixing them. He has a strong passion for technology, reading, writing, and science fiction, and loves the fact that modern technology is getting ever closer to the latter. In the world of PDAs, Mitch started off in the land of Windows Mobile with the HTC Touch and HTC Diamond, migrated to webOS with the Palm Pre, and has since been infatuated with Android, first with the Samsung Moment and now with the HTC Evo.


  • JPB

    So….if I delete from my settings all wireless networks that aren’t locked down, will that prevent this from happening?

    i.e. Settings->Wireless & network settings->Wi-fi settings, tape & hold attwifi, starbucks, etc. and “forget network”.

    Seems simple enough to avoid. Or did I miss something?

  • marko

    That’s what I got from this as well. From what I know hacking anything isn’t hard if you have a bit of know-how. This doesn’t realty disturb me much.

  • SBP

    Agreed. All this says to me is don’t connect to unknown, unsecured wifi networks. So I have nothing to worry about.

  • Mitch Wright

    That’s the basic gist, which is splendid for those people that actually keep up with tech blogs. Personally, I don’t connect to any publicly accessible wifis. I mean heck, most tech savvy people could simply root their phones and install a 2.3.4 based ROM if they really wanted to (I could even point you to a couple for the Evo). The main victims here would be the more naive individuals, and there’s more and more of those adopting Android as their mobile operating system of choice, thanks to Android’s increasing popularity. That said, if we know of any people in that particular boat, (I know I do) we should use our knowledge to help them out a bit. “With great power comes great responsibility” and all. ;-)

  • DarkDvr

    SHOCKER: All Ecectronic Devices are prone to hacks.

    Big Freaking Surprise!!

  • Ian Whitehead

    Google should provide direct guidance on the problem, any workarounds and when they are going to fix it.