99.7% of Android phones leak user account credentials

Matthew DeCarlo

Matthew DeCarlo

Posts: 5,271   +104
Staff

According to a report by German researchers, some 99.7% of Android devices in circulation are vulnerable to an attack that could compromise sensitive data transmitted over a wireless network connection. The hole reportedly stems from a flaw in Google's ClientLogin authentication protocol, which verifies communication between Android devices and applications.

To use ClientLogin, an app requests an authentication token (authToken) from the Google service by passing an account name and password over an HTTPS connection. The returned authToken can be used for any subsequent request to the service API and in addition to remaining valid for up to two weeks, it's not bound to any session or device-specific information.

Those attributes wouldn't be an issue if attackers couldn't obtain an authToken, but that isn't the case. The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark, which can then be used to access your information.

"For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user," the researchers explained.

Wireshark showing ClientLogin authToken in data API request to Picasa Web AlbumsAndroid

Besides stealing the compromised user's information, a hacker could also target the victim's contacts. "An adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

Because authTokens last for up to two weeks, the report noted that an attacker could collect them on a large scale with an insecure wireless access point and use them later from an entirely different location. As such, the researchers are urging Google to limit the lifetime of authTokens in addition to rejecting ClientLogin-based requests from insecure connections.

The vulnerability is present in all Android versions prior to 2.3.4 (Gingerbread), which is only available for a handful of Android devices. If you can't update to 2.3.4, the researchers recommend avoiding public Wi-Fi networks or at the very least disabling automatic synchronization and letting your device forget an open network that you previously connected to.

Permalink to story.

https://www.techspot.com/news/43838-997-of-android-phones-leak-user-account-credentials.html

 
There is no perfect fix... this is no better than a person downloading an app with a key logger.

The truth is that sooner or later... the development API will have to allow users to be promted, control what aspects of the informtion stored on the device can be touched by an application. If users stick to app stores that are managed by big enough or trusted sources it should at least mitigate most of the fuss.

Wireless devices and our data always hovering over the ether is scarry enought!
 
Crap, so this is how they used my email account to spam.

I noticed today that I had apparently sent emails with links to "medicine" sites, when I had not done such a thing. My only culprits were my College and my own Computer, but now it seems my phone is to blame.
 
I think one of the 0.3% phones include the simplest Tin Can Phone...
 
The 0.3 % are the phones with Gingerbread on them. Which is like the Google Nexus S. It is pretty much saying Gingerbread is only on 0.3% of phones.
 
BrianUMR said:
The 0.3 % are the phones with Gingerbread on them. Which is like the Google Nexus S. It is pretty much saying Gingerbread is only on 0.3% of phones.
Click to expand...

So what you're saying is this is a virus released by Samsung to boost sales? =)

This is really going to force phone companies to have to start taking some stances as far as OS updates are concerned. You can't let the manufacturers drag their feet. Now phone companies are going to need to start taking some responsibility in allowing their customers to have their phones upgraded to the latest version. You can't have the average customer rooting their phone or doing some other crazy nonsense. This is a critical system patch that needs to be applied pronto.

This year is turning out to be a very interesting one in this particular sector.
 
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p
 
Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p
Click to expand...

Yeah I don't really get why so many applications need so many different privileges. I can find games that pretty much do the same thing and some need next to nothing and other want everything.
 
Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p
Click to expand...

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

*hugs his DHD running 2.3.3 Gingerbread*
 
Fair enough, but recklessness it is as what I was also inferring that why on earth a game would want to have access to your contacts? or logs? In addition to that remember all those malware carrying apps in the market?

Oh by the way I recommended DHD to a friend who was hell bent on buying an android cell, and guess what, after 2 weeks he returned it :confused:
 
Your title is misleading. In order the user has to download the application first. Of the percentages of people who download apps on the market, your small percent (probably less than 1%) are at risk. This proves your title is incorrect.

WTH Techspot, come on!!

~RC
 
So what he is saying is that if someone has access to your cookies then he can access yout stuff, and one can sniff it while its going through network. Well in that case 100% iPhone and 100% of Windows have this issue. I want to know which 0.3% of android phones don't have this issue, I am sure there are none.
 
Arris said:
Archean said:
I am not because I am still stuck with SGS running Froyo. Although I never use any open/public wifi spot. Funny thing is almost every android application wants to have some sort of privilege access; which is not only dangerous but reckless on the part of Google + developers. Oh and Mathew, I beat you to it :p
Click to expand...

Since Android doesn't give users root access as default, the privilege access most apps ask for can only be of a high level type. Most of it is "can Iz access the interwebz?" since people won't want unnecessary data charges from some game they've downloaded downloading additional resources over their 3G connection. I don't think this is particularly reckless of Google. What might be reckless is the level of checking of apps submitted to the Android Market, anything related to user authentication should never be over http . This is where the problem could lie, not the privilege access app ask for, at least in my opinion.

*hugs his DHD running 2.3.3 Gingerbread*
Click to expand...

It was fixed in 2.3.4. Nice try but you're still vulnerable.

2.3.4 Nexus S master race here.
 
The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark, which can then be used to access your information.
Click to expand...

Am I the only one seeing this as not an Android problem but a application developer one? I suppose Google can require all authTokens use SSL, but that's still not going to stop a badly developed application from broadcasting your password. I'd hate to think that you'd need to wireshark your phone after every app you install, but if you're really serious about these type of flaws, you'd at least want to read reviews of apps that include this type of checking first. And if you've rooted or jailbreak your phones, then its 100% your responsibility and not the manufacturers.
 
I heard the security flaw only happens when you don't hold the phone correctly while connecting to wi-fi.
 
The same thing happened to me 2 days ago, but on my Iphone. Those went out from my hotmail account that I running on the phone. I'll never join an unsecured wireless node ever again. Had to have Microsoft wipe my account.
 
When you get a new android phone, look at the application section and uninstall all apps that requires more permissions then: local storage, geo location, internet access, get phone state. Do this and you have no worries. When installing apps always check permissions such as Twitter app requires you first unborn child access while TweetCaster app does the same thing with only storage, internet and gps (for char near by) access. Don't just blindly install apps, look at the permissions it requires and you will be surprised how you can find many alternatives to the same app which requires far less access. At the end of the day I will always choose android over iPhone mainly because droid is openMarket which gives power to people not the companies and their rules and their fat wallet. -- Saimon Lovell
 
You must log in or register to reply here.

Similar threads

N
Your favorite password manager could be exposing your credentials
Replies
21
Views
566
ZedRM
ZedRM
Daniel Sims
Unpatchable Apple Silicon vulnerability could leak encryption keys
Replies
15
Views
270
Dreadcthulhu
D
Daniel Sims
Windows 11 Android support ends next March
Replies
5
Views
169
trents
T

Latest posts

Back