99% of Android devices leak secure information

[Richard1864]

99% of Android phones leak secret account credentials ?€? The Register

99% of Android phones leak secret account credentials

'Impersonation attacks' target Google services

By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 16th May 2011 21:44 GMT

The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

... More

 

[Dark Wizard Matoya]

If this is true then it's a really serious problem. Just one more reason to kill the custom manufacturer UI's, reduce fragmentation, and get updates for all Android devices pushed out as quickly as possible.

In any case my Droid Incredible is running the latest CM7 nightly, which is 2.3.4, so hopefully I should be OK. Now I'm really glad that I don't have the patience to wait for the official OTA update. Thank God for Cyanogenmod.

 

[DenverRalphy]

As I search the interwebz for more info, it seems that services using OAuth aren't susceptible to the attack in the article. Which all apps and services seem to already be using.

The ClientLogin API is a tool that's only supposed to be used in a closed environment, like communication between your device plugged directly to your PC. Similar to the differences between using Telnet over SSH.

I'm still researching, but it seems (so far) to be more scare tactic journalism on a proof of concept. As it stands right now based on what I've been reading, no services or apps are using the ClientLogin API over OAuth in any case, rendering the point somewhat moot. For somebody to intentionally spoof another WiFi network, they'd still have to have me install an app first.

 

[Jalarm]

only secure with 2.3.4? Nexus S FTW??

 

[Dark Wizard Matoya]

only secure with 2.3.4? Nexus S FTW??

Nexus S and CM7 Nightlies FTW. This is why rooting is great. Why sit around waiting for the official update when you can run a custom ROM and get the latest and most secure version of Android yourself?

 

[ahammond1024]

I think its would be nice to track all of this stuff.

I assumed my facinate would be like the iphone. Where Verizon could track the gps locations as I use its GPS program.

 

[Johnly]

Lol! A bot has to mine it on wifi.....solved on googles current OS. Don't think it is a manufactured from a skin. Pretty big gap eh, thanks bgill for the news.

 

[srkmagnus]

A little disturbing to say the least. Sounds like you will only be affected by not practicing safe measures or by trusting known access points. It's going to be interesting to hear from everyone regarding this issue.

 

[srkmagnus]

Google's Plugging That Potential Android Personal Data Leakage Right Now - Gizmodo

Google is pushing a fix for every Android Device, though Picasa will not be included. OP might want to update post for people to see when they click on this thread. Good for Google to push an update to address the issue.

 

[Jalarm]

Nexus S and CM7 Nightlies FTW. This is why rooting is great. Why sit around waiting for the official update when you can run a custom ROM and get the latest and most secure version of Android yourself?

Amen. Rooting is Android heaven.

 

[theblizzard2009]

good thing i have zero information on my phone that could harm me if it were in the wrong hands.