Security Vulnerability In Most Versions Of Android Allows Attackers To Steal Your Login Credentials

Android Police

By Cameron Summerson

Published May 17, 2011

Regardless of where you sit in the tech world, there is one thing that affects us all: security vulnerabilities. Unfortunately, our little green robot is no exception this rule, and The Register recently dropped a report on a potentially bad exploit.

Apparently, in Android 2.3.3 and below, there is a vulnerability that would allow attackers to collect digital tokens that are stored on the device after users login to Google Calendar, Facebook, Twitter, and "several other accounts."

Here's how it works: when you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question.

I realize this sounds scary, but it's quite easy to prevent falling victim to such an attack. In order for this vulnerability to be exploited, you must be on an unencrypted network. This would most likely take place somewhere that offers public Wi-FI -- coffee shops, book stores, etc. The unfortunate thing is that the SSID for these types of locations can be easily spoofed. All an attacker has to do is create a wireless network with the same SSID as a common Wi-Fi hotspot (attwifi, for example); if you have previously connected to a hotspot with the same name, your Android should re-connect automatically.

Once connected, all of your networks should attempt to sync, which requires the sending of the aforementioned authToken. At this point, the attacker intercepts the token, essentially stealing your login credentials for the site in question.

Fortunately, Google is aware of the issue and it has been patched in Android 2.3.4 and Honeycomb, but that still leaves about 99% of all devices vulnerable to the attack.

However, if yours doesn't fall into the sliver of unaffected devices, there are a few different ways you can prevent this attack. The first is probably also the easiest: don't use public Wi-Fi. If you must use public Wi-Fi, however, be safe about it. Don't allow your device to automatically connect to public networks (Settings > Wireless & Networks > Wi-Fi Settings).

[The Register via BGR]