Google issues patch to fix Android's ClientLogin data leaks

By on May 19, 2011, 6:00 AM

Google has announced it's starting to roll out a server-side patch for a security vulnerability in 99% of Android phones that could have allowed someone to snoop on an unencrypted Wi-Fi network and access calendar and contact data. The fix requires no action from users and will be deployed globally over the next few days.

The existence of a flaw was first suggested back in February in a blog post by Rice University professor Dan Wallach, who noted that several native Android applications don't use SSL encryption to protect their network traffic. But it was only late last week that German researchers devised a proof-of-concept attack to demonstrate the vulnerability.

The hole stems from a flaw in Google's ClientLogin authentication protocol, which is designed to allow applications to trade a user's credentials for an authentication token that identifies the user to the service. If the token is passed through an unencrypted request, it could potentially be intercepted by an attacker and used to access a user's web-based calendars, their contacts and apparently also the Picasa photo storage and sharing service.

The latest release of Android for smartphones (2.3.4) and tablets (3.0) are not affected by this issue, but since more than 99% of Android device owners are still using older versions Google saw fit to expedite a fix.

Basically, the fix forces all Android devices to connect to Google Calendar and Contacts servers over HTTPS so that authentication tokens won't be susceptible to eavesdropping when transmitted over an unprotected wireless network. Google is reportedly still investigating whether or not Picasa is vulnerable as well.




User Comments: 6

Got something to say? Post a comment
princeton princeton said:

Well I haven't been affected for a while. Nexus master race!

Arris Arris said:

"an unencrypted Wi-Fi network and access calendar and contact data."

Fortunately I don't use any unencrypted wi-fi.

lawfer, TechSpot Paladin, said:

So this demonstrates they CAN release the Android updates much faster than what it currently is now, huh? Bravo Google, bravo.

BrianUMR said:

lawfer said:

So this demonstrates they CAN release the Android updates much faster than what it currently is now, huh? Bravo Google, bravo.

Its not really an android update. It doesn't even really fix the problem. I would call it a workaround. It is good that they are able to do this since it takes updates a long time to come out. Whatever the bug was it had already been fixed in 2.3.4 and higher.

The reason I say it doesn't fix the problem and is a workout is becuase the bug is still there. Its just that the bug has become useless since it worked on an HTTP connection which google is no longer going to accept.

tonylukac said:

I thought the carriers do updates. How can a fix be expidited so fast if it takes months for carriers to update?

lawfer, TechSpot Paladin, said:

BrianUMR said:

lawfer said:

So this demonstrates they CAN release the Android updates much faster than what it currently is now, huh? Bravo Google, bravo.

Its not really an android update. It doesn't even really fix the problem. I would call it a workaround. It is good that they are able to do this since it takes updates a long time to come out. Whatever the bug was it had already been fixed in 2.3.4 and higher.

The reason I say it doesn't fix the problem and is a workout is becuase the bug is still there. Its just that the bug has become useless since it worked on an HTTP connection which google is no longer going to accept.

Whether it is an actual update or not, the fact that they CAN release software onto the phones without the carriers' "certification", proves they've been intentionally segregating the Android platform.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.