I own an Android. You own an Android. Heaps of people own Androids. But apparently 99 per cent of them can be easily attacked, every time we log into a website on an unsecured network.
This is according to researchers at the University of Ulm, in Germany, who found that any phones running a version of Android prior to 2.3.3 are vulnerable to an attack thanks to a weak ClientLogin authentication protocol. Any time an Android user signs into a service such as Twitter, Facebook or a new Google account, the authToken information is stored for 14 days, and accessible if you know how to go about it, claim the researchers:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks…With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
The team feigned an attack, and found it was “quite easy to do so”. Gulp. The reason 99 per cent of the Android handsets in existence are said to be vulnerable to such an attack? It’s because any phone not running Android 2.3.4, which Google released a few weeks ago, hasn’t had the security hole patched yet.
While a fix from Google would solve this problem, Android users are recommended to only use ClientLogin on https sites for now. [Uni-Ulm via The Register]