Researchers at Germany’s University of Ulm have made some unsettling discoveries about the security of the Android platform. According to an article from The Register, the research group located a vulnerability that allows hackers to collect and use the digital tokens saved on a phone after a user inputs credentials for a password-protected service.
The problem seems to be linked to an authentication protocol called ClientLogin, which is present in version of Android 2.3.3 and earlier (aka most Android phones). After a user inputs credentials for services like Twitter, Facebook, or Google Calendar (to name a few), the programming interface retrieves an authentication token, which is sent in cleartext. “Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts,” claimed the article, quoting University of Ulm researchers.
Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code. “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote. “The short answer is: Yes, it is possible, and it is quite easy to do so.” Google has yet to release an official statement on the situation.[/p]
Source
This is a serious problem. Almost every Android phone out there is on 2.3.3 or lower, which means almost every Android is susceptible to account theft. I can confirm this is true, because my Facebook account was hacked not even a week after buying my first Android. Possibly a coincidence, but I doubt it.
The problem seems to be linked to an authentication protocol called ClientLogin, which is present in version of Android 2.3.3 and earlier (aka most Android phones). After a user inputs credentials for services like Twitter, Facebook, or Google Calendar (to name a few), the programming interface retrieves an authentication token, which is sent in cleartext. “Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts,” claimed the article, quoting University of Ulm researchers.
Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code. “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote. “The short answer is: Yes, it is possible, and it is quite easy to do so.” Google has yet to release an official statement on the situation.[/p]
This is a serious problem. Almost every Android phone out there is on 2.3.3 or lower, which means almost every Android is susceptible to account theft. I can confirm this is true, because my Facebook account was hacked not even a week after buying my first Android. Possibly a coincidence, but I doubt it.
