Researchers at University Of Ulm, Germany have found a security flaw in the digital token authentication process that Android uses for its services. This vulnerability can cause extreme privacy breach threat to the current Android users on version 2.3.3 and below. This flaw can be exploited by 3rd party services to gain access and steal digital credentials used to access Google services like Calendar, Contacts and other sensitive data in the form of plain text.
It all begins with the manner in which an authentication protocol called ClientLogin is implemented within Android. ClientLogin is an API that is used by programmers who develop client applications that gives access to Google services and for those who wants to implement a programmatic way to get authorized access to Google's account information. Researchers point out that this protocol has been poorly implemented in Android 2.3.3 and in its earlier versions.
When a user uses this API to enter his login credentials for Google services, it retrieves a digital authentication token that is sent in clear text instead of it being encrypted. Even worse, this authToken is valid for upto 14 days after its creation, which means attackers can use this digital token to their advantage to impersonate your details and gain access to services for 2 weeks until its expiry. We can only imagine the extent of impact it can cause for the Android users in this timeframe.
Earlier this year, a Rice University professor, demoed the privacy shortcomings of Android via a simple exercise for his undergraduate security class. All he did was to hook up a packet sniffer into his network and observe the traffic sent to and from his Android handset when he used various apps available for Google's mobile platform. To his shock, he could see that other than the passwords, all private data sent to and from Android was in plain text. Even the Facebook app seems to send information in clear text even if the always-On SSL encryption was switched ON. Apps that make use of the GPS coordinates data were seen transmitting values in plain text each time a service request was made via them. But luckily this hack is only possible when Andoroid uses an un-secured netwoks like Wi-Fi hotspots.
To address this security issue, Google rolled out Android 2.3.4 this month which did close the exploit, but forgot Picasa in the process. Data synchronisation with Picasa web albums still causes sensitive data to flow in the plain text format. Researchers claim that according to Google's statistics, at this point of time, more than 99% of the Android users are prone to this attack. A Google spokesman told that they are aware of the Picasa issue and a security fix is sure to follow this week. Meanwhile, ClientLogin app developers are advised to start sending data over encrypted HTTP channels to avoid the synced data from being intercepted. Alterantively, oAuth is another authentication protocol that can be used to overcome this issue.
Why 99% of the devices are affected? This is because Android updates are hard to come by. You'll be eligible for an update only if your carrier sends out one to you. Inspite of the security glitches, Google is having no sucess in forcing the carriers to supply updates to their customers. Some Verizon users are still on version 2.2.2 and also will be on the same probably for months. The good news is that in the upcoming weeks, Google will be providing a server-side fix to plug this issue. A worldwide fix release is imminent within a week or so.
Though the search engine giant is gaining popularity in the mobile market, it seems to have very little success in providing good customer care services in terms of updates for its users.Contact Us for News Tips, Corrections and Feedback