Android security hole makes stealing your personal info easy

Security is a relative term in digital communications, as German researchers discovered after putting Google’s Android OS through some testing. Reportedly, 99.7% of all droids could be broadcasting the authentication key to your personal Google data when connected over unsecured Wi-Fi networks, making it easy for opportunist attackers to gain access to it.

The problem lies in how some Android apps communicate with the cloud servers. You see, researchers discovered apps transmit user name and password to the server securely and the server returns an authentication token to be used so that the app doesn’t have to log in every time it makes a request.

Researchers discovered, however, that this token is the weak link as it's often transmitted insecurely (making it very easy to steal). An attacker can easily steal one of these tokens by sniffing the unsecured public Wi-Fi network you use. And since the token is valid for up to two weeks (from any device), the attacker can go on and sync your contacts or calendar entries to a device of their own.

In short, your droid may be leaking the key to your personal info without you even knowing it. This type of attack is very similar to how the notorious Firesheep could once steal people’s Facebook accounts.

The researchers tested different Android phones, from different vendors, running different OS versions and found that syncing contacts and calendar data is done insecurely prior to v2.3.3. The Gallery app (developed by a third party and not Google) uses the insecure method even in the latest smartphone version of Android.

Unfortunately, the problem isn't limited to Android’s native apps, third party apps are vulnerable too and will have to be updated to patch the hole.

You can read the blog post by the researchers that found the loophole for more info.

We don't know about you, but that sounds scary to us.

Source