Alright, so quick poll: how many out there are running Android 2.3.4? According to data released the answer should be about 1%, and more importantly, according to The Register, the other 99% of us are quite vulnerable to information theft. The UK based publication says that potential hackers steal authentication tokens that the Android device sends to various websites or accounts for security clearance. Care to know how you can be attacked? Check in after the break.
The research was done by the University of Ulm, who found that the exploit is due to incorrect use of ClientLogin, an authentication protocol used by the Android operating system. The hole is patched, however, with Android 2.3.4, great for those 1 percent-ers out there. So how does the hack work? “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.” Sounds pretty complicated, right? Actually it’s not. The article continues, “To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
All in all, this is some pretty bad news for Android users and is yet one more reason why Android’s version fragmentation needs to be brought under control oh so quickly. It’s one thing when you’re talking about software features, but software security is just something you can’t mess with, particularly when you’re talking about personal information. If there’s one area that Google needs to get under control, this is it.