17
May
26-Android-security

Regardless of where you sit in the tech world, there is one thing that affects us all: security vulnerabilities. Unfortunately, our little green robot is no exception this rule, and The Register recently dropped a report on a potentially bad exploit.

Apparently, in Android 2.3.3 and below, there is a vulnerability that would allow attackers to collect digital tokens that are stored on the device after users login to Google Calendar, Facebook, Twitter, and "several other accounts."

Here's how it works: when you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question.

I realize this sounds scary, but it's quite easy to prevent falling victim to such an attack. In order for this vulnerability to be exploited, you must be on an unencrypted network. This would most likely take place somewhere that offers public Wi-FI -- coffee shops, book stores, etc. The unfortunate thing is that the SSID for these types of locations can be easily spoofed. All an attacker has to do is create a wireless network with the same SSID as a common Wi-Fi hotspot (attwifi, for example); if you have previously connected to a hotspot with the same name, your Android should re-connect automatically.

Once connected, all of your networks should attempt to sync, which requires the sending of the aforementioned authToken. At this point, the attacker intercepts the token, essentially stealing your login credentials for the site in question.

Fortunately, Google is aware of the issue and it has been patched in Android 2.3.4 and Honeycomb, but that still leaves about 99% of all devices vulnerable to the attack.

However, if yours doesn't fall into the sliver of unaffected devices, there are a few different ways you can prevent this attack. The first is probably also the easiest: don't use public Wi-Fi. If you must use public Wi-Fi, however, be safe about it. Don't allow your device to automatically connect to public networks (Settings > Wireless & Networks > Wi-Fi Settings).

[The Register via BGR]

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • http://ocaoimh.ie/ Donncha O Caoimh

    Surely it's an application problem isn't it? The app should be sending those auth tockens over SSL rather than ordinary HTTP requests.

    Or is this a built in API in Android?

    • SiliconAddict

      Google has been adding core features to the OS for years. At this point, I believe, Facebook and Twitter support is baked into the OS. As such this is Google's issue.

  • brendon

    Glad I'm on 2.3.4 :-)

    • Tee

      This is really scary, because it has been realized only now. Since when has Android been out anyway? For several years...

  • Andrew

    If you really have to use a public WiFi, it would most likely be for some quick browsing somewhere you don't have 3G access. So temporarily disabling Auto Sync from Settings -> Accounts and Sync or from a power widget should let you do the browsing without worrying about stolen tokens. Then, when you're back on a trusted network, just re-enable syncing.

  • Mark

    If i am in a public Wifi I use droidwall, a firewall for Android. With 1 click (or rather touch :-) all applications cannot connect anymore except for the browser or whatever you need.
    I can recommend droidwall very much.

    • SiliconAddict

      Other then the fact that a firewall doesn't encrypt your connection and as such the stream can still be intercepted.

      • http://lavadip.com HRJ

        The OP's point was that only applications that you authorize explicitly can connect through the firewall. So, you could prevent interception of background connections.

  • SiliconAddict

    Queue the iTards who will act as if they never had an exploit in iOS before.

    • Kane

      Cue* :-]
      10char

    • _Tetragrammaton

      Who's retarded if 99% of said device are currently open to the exploit?

      • Phil

        You're retarded if your trusting just any old network you can connect to. Theres nothing really special about this vuln. If you're on someone elses network you are gambling to begin with. Wireless security only protects you up to the access point. After that you're on a wire and you don't know who or what else is on it.

  • http://ocaoimh.ie/ Donncha O Caoimh

    I need to look into setting up a VPN to my server so I can proxy through that then.

    Thankfully free wifi around here is a rare commodity but this is disturbing. Hope

  • Ron H in Schenectady

    The press is running crazy with this, saying Android is unsecure, etc. They're not saying it's only if you're on an unencrypted network. I hope this info gets out so they can stop with the sensationalizing.

  • LAmDroid

    another mountain out of a mole

  • dozo

    Does this vulnerability exist in other phone OS like Symbian, Bada, iOS and Windows Phone 7? Or is it unique to only Android?

    • Tee

      This is _Android_ Police. :D

      Try Apple/Symbian/Bada/WP Police...

  • Nikki

    I rooted my phone to Gingerbread so I have 2.3.3. I woke up this morning I had an error sign in for my Gmail account on my phone. When I signed in through the browser Gmail needed me to verify some stuff before letting me in, and when I got in, somebody sent slit of emails to my contacts!!!!

  • Mongo

    Tbh, this is not just a android problem, i did a test on my home network, 2 different routers (one netgear and one belkin) with different SSID, having 3 PC's running windows xp and 1 windows 7 and 2 android phones(an htc desire, and a sgs) 1 ipad connected to Router 1. Turned off router 1 and switch SSID on router 2, all of them connected to it without me having to even touch the devices. tried with and without encryption.

    Of course, with the encryption it would require them(the evil hackers) to know this information.

  • http://www.dudumimran.com/ Dudu Mimran
  • edu techs

    Android Silver is also expected to have a kill switch.
    http://androidsilverseries.com/

Quantcast