99.7% of Android phones leak user account credentials

By on May 17, 2011, 6:21 PM

According to a report by German researchers, some 99.7% of Android devices in circulation are vulnerable to an attack that could compromise sensitive data transmitted over a wireless network connection. The hole reportedly stems from a flaw in Google's ClientLogin authentication protocol, which verifies communication between Android devices and applications.

To use ClientLogin, an app requests an authentication token (authToken) from the Google service by passing an account name and password over an HTTPS connection. The returned authToken can be used for any subsequent request to the service API and in addition to remaining valid for up to two weeks, it's not bound to any session or device-specific information.

Those attributes wouldn't be an issue if attackers couldn't obtain an authToken, but that isn't the case. The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark, which can then be used to access your information.

"For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user," the researchers explained.

Wireshark showing ClientLogin authToken in data API request to Picasa Web Albums

Besides stealing the compromised user's information, a hacker could also target the victim's contacts. "An adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

Because authTokens last for up to two weeks, the report noted that an attacker could collect them on a large scale with an insecure wireless access point and use them later from an entirely different location. As such, the researchers are urging Google to limit the lifetime of authTokens in addition to rejecting ClientLogin-based requests from insecure connections.

The vulnerability is present in all Android versions prior to 2.3.4 (Gingerbread), which is only available for a handful of Android devices. If you can't update to 2.3.4, the researchers recommend avoiding public Wi-Fi networks or at the very least disabling automatic synchronization and letting your device forget an open network that you previously connected to.




User Comments: 25

Got something to say? Post a comment
MrAnderson said:

There is no perfect fix... this is no better than a person downloading an app with a key logger.

The truth is that sooner or later... the development API will have to allow users to be promted, control what aspects of the informtion stored on the device can be touched by an application. If users stick to app stores that are managed by big enough or trusted sources it should at least mitigate most of the fuss.

Wireless devices and our data always hovering over the ether is scarry enought!

ramonsterns said:

Crap, so this is how they used my email account to spam.

I noticed today that I had apparently sent emails with links to "medicine" sites, when I had not done such a thing. My only culprits were my College and my own Computer, but now it seems my phone is to blame.

nismo91 said:

i'd like to know what are the 0.3% devices

Guest said:

I think one of the 0.3% phones include the simplest Tin Can Phone...

Flannelwarrior said:

Has this hole been exploited yet?

PinothyJ said:

Google in trouble with privacy, again?

I would never have guessed...

BrianUMR said:

The 0.3 % are the phones with Gingerbread on them. Which is like the Google Nexus S. It is pretty much saying Gingerbread is only on 0.3% of phones.

gwailo247, TechSpot Chancellor, said:

BrianUMR said:

The 0.3 % are the phones with Gingerbread on them. Which is like the Google Nexus S. It is pretty much saying Gingerbread is only on 0.3% of phones.

So what you're saying is this is a virus released by Samsung to boost sales? =)

This is really going to force phone companies to have to start taking some stances as far as OS updates are concerned. You can't let the manufacturers drag their feet. Now phone companies are going to need to start taking some responsibility in allowing their customers to have their phones upgraded to the latest version. You can't have the average customer rooting their phone or doing some other crazy nonsense. This is a critical system patch that needs to be applied pronto.

This year is turning out to be a very interesting one in this particular sector.

yRaz yRaz said:

I'm happy I have a windows phone

Archean Archean, TechSpot Paladin, said:

I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p

BrianUMR said:

Archean said:

I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p

Yeah I don't really get why so many applications need so many different privileges. I can find games that pretty much do the same thing and some need next to nothing and other want everything.

Arris Arris said:

Archean said:

I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

*hugs his DHD running 2.3.3 Gingerbread*

Archean Archean, TechSpot Paladin, said:

Fair enough, but recklessness it is as what I was also inferring that why on earth a game would want to have access to your contacts? or logs? In addition to that remember all those malware carrying apps in the market?

Oh by the way I recommended DHD to a friend who was hell bent on buying an android cell, and guess what, after 2 weeks he returned it

Guest said:

Thanks God.. I am GingerBread

Guest said:

Your title is misleading. In order the user has to download the application first. Of the percentages of people who download apps on the market, your small percent (probably less than 1%) are at risk. This proves your title is incorrect.

WTH Techspot, come on!!

~RC

Guest said:

So what he is saying is that if someone has access to your cookies then he can access yout stuff, and one can sniff it while its going through network. Well in that case 100% iPhone and 100% of Windows have this issue. I want to know which 0.3% of android phones don't have this issue, I am sure there are none.

princeton princeton said:

Arris said:

Archean said:

I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

*hugs his DHD running 2.3.3 Gingerbread*

It was fixed in 2.3.4. Nice try but you're still vulnerable.

2.3.4 Nexus S master race here.

PanicX PanicX, TechSpot Ambassador, said:

The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark, which can then be used to access your information.

Am I the only one seeing this as not an Android problem but a application developer one? I suppose Google can require all authTokens use SSL, but that's still not going to stop a badly developed application from broadcasting your password. I'd hate to think that you'd need to wireshark your phone after every app you install, but if you're really serious about these type of flaws, you'd at least want to read reviews of apps that include this type of checking first. And if you've rooted or jailbreak your phones, then its 100% your responsibility and not the manufacturers.

Guest said:

I heard the security flaw only happens when you don't hold the phone correctly while connecting to wi-fi.

princeton princeton said:

I heard the security flaw only happens when you don't hold the phone correctly while connecting to wi-fi.

This is a joke right? Please be a joke.

Guest said:

The same thing happened to me 2 days ago, but on my Iphone. Those went out from my hotmail account that I running on the phone. I'll never join an unsecured wireless node ever again. Had to have Microsoft wipe my account.

Guest said:

When you get a new android phone, look at the application section and uninstall all apps that requires more permissions then: local storage, geo location, internet access, get phone state. Do this and you have no worries. When installing apps always check permissions such as Twitter app requires you first unborn child access while TweetCaster app does the same thing with only storage, internet and gps (for char near by) access. Don't just blindly install apps, look at the permissions it requires and you will be surprised how you can find many alternatives to the same app which requires far less access. At the end of the day I will always choose android over iPhone mainly because droid is openMarket which gives power to people not the companies and their rules and their fat wallet. -- Saimon Lovell

Arris Arris said:

Am I the only one seeing this as not an Android problem but a application developer one?

No

Arris Arris said:

It was fixed in 2.3.4. Nice try but you're still vulnerable.

2.3.4 Nexus S master race here.

Gah

r3dark said:

... as this is not new news.... people should already know these devices run on an unsecured circuit.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.