Android security hole makes stealing your personal info easy
Security is a relative term in digital communications, as German researchers discovered after putting Google’s Android OS through some testing. Reportedly, 99.7% of all droids could be broadcasting the authentication key to your personal Google data when connected over unsecured Wi-Fi networks, making it easy for opportunist attackers to gain access to it.
The problem lies in how some Android apps communicate with the cloud servers. You see, researchers discovered apps transmit user name and password to the server securely and the server returns an authentication token to be used so that the app doesn’t have to log in every time it makes a request.
Researchers discovered, however, that this token is the weak link as it's often transmitted insecurely (making it very easy to steal). An attacker can easily steal one of these tokens by sniffing the unsecured public Wi-Fi network you use. And since the token is valid for up to two weeks (from any device), the attacker can go on and sync your contacts or calendar entries to a device of their own.
In short, your droid may be leaking the key to your personal info without you even knowing it. This type of attack is very similar to how the notorious Firesheep could once steal people’s Facebook accounts.
The researchers tested different Android phones, from different vendors, running different OS versions and found that syncing contacts and calendar data is done insecurely prior to v2.3.3. The Gallery app (developed by a third party and not Google) uses the insecure method even in the latest smartphone version of Android.
Unfortunately, the problem isn't limited to Android’s native apps, third party apps are vulnerable too and will have to be updated to patch the hole.
You can read the blog post by the researchers that found the loophole for more info.
We don't know about you, but that sounds scary to us.
Reader comments
- vocker
- 19 May 2011
- RrR
Anyone who doesn't care about this is simply a fool. I'm seriously considering dumping them all (droid/iphone) in favor of a standard phone. That said, I don't travel all that much. When I do I'm needing access to email/gps and Pandora (or MP3s on...
- Anonymous
- 19 May 2011
- MVg
passwords are there to be hacked. software is made by programmers. hackers are programmers. mobiles phones are designed to trace people. people are like sheep. sheep are stupid. lets go back to the old fashioned way of communication. message i...
- droidwp7
- 19 May 2011
- v@H
If its android/google its nt going to be a problem for any one normaly. However if this is a case with wp7, comments are going to be more harsh.