Slashdot Mirror
Swiped Tokens Expose Android Devices To Data Theft
tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."
Please. This is abhorrent fear-mongering.
This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.
Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?
While it is fear-mongering, it is hardly as trivial as the Facebook hacks of yore. For one, there is no way to enable/require SSL for these tokens (at least in plain sight). Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.
Therefore, if you have an Android phone you basically better never use WiFi at less than WPA2 grade encryption unless you want to risk your email and other services being compromised, period, end of story, no workaround.
I can only hope that thanks to the openness of Android, someone can code an app that allows for more granular control of what services are connecting at any given time, to at least give those with a clue the ability to stay safe when using open wifi.
...and turn off Wi-Fi. Don't let your 'smartphone' become a 'dumbphone'
Only use it for emergencies and throwing angry birds.
He who knows best knows how little he knows. - Thomas Jefferson
As it says in TFA:
"The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."
So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.
"Our goal each year should be to increase the number of goals we set for ourselves!"
google is harming their own rep and they don't even care. or they are too big to stop it.
over the weekend I bought my first android tablet. I didn't expect much as it was a $100 frys special...
the hardware vendor did not care about quality. cardboard chads were stuck under the resistive touch screen and you could see and feel bumps as you moved your finger over. horrible! they released product like that.
worse, the pad went into an annoying crash/reboot cycle. I went into one gui screen, tried to change some values and it crashed/rebooted. I was just configuring something, not even USING the damned tablet.
apple is evil, its true; but at least they ensure a reasonable experience on their tablet. its hella expensive and locked down, but at least they don't ship product with junk under the screen and with glaring showstopper bugs.
I know you can blame the vendor for shoddy hw and sw quality, but it does speak to google that they are so lax with the vendors. a bit of tighter control would have benefited them. the fragmentation is also a fall-out of their lack of management on the android platform.
android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).
--
"It is now safe to switch off your computer."
I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...
Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?
And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.
Who is stupid enough to connect to an unsecured wireless connection
Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.
with their personal cellular device?
There isn't much of a difference between a "smartphone" and a "laptop" anymore except for size. Tethering and USB 3G modems have turned laptops into "personal cellular devices". (If you disagree, we may have run into a definition problem.)
You need to not use wireless at all in that case, aside from known trusted networks that you are sure contain only trusted clients. Unless you are using WPA-Enterprise all clients on the same AP are using the same encryption key so can decode each others packets (intercepted simply by putting your network adaptor into promiscuous mode) easily.
So public wireless is a no-no even if it is not working "plain" (no authentication/encryption), and private wireless is out too unless you have audited every device that has access.
You could get around this by using some for of VPN setup of course, but that option is not open to non-technical users.
it does speak to google that they are so lax with the vendors.
There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.
You bought a tablet at a price point where you could expect a dog's breakfast, and you're surprised that you got one? I fail to understand what you think is wrong with the world here. There are always going to be hardware makers that are willing to put out shoddy (and possibly knock-off) products at super-discount prices.
I suspect that you bought the tablet on the self-fulfilling prophecy "Android is terrible, even this cheap tablet can't do anything properly!" Next time, either spend 10 minutes playing with the device in the store, or spend enough money to get a product that goes through proper quality assurance (both hardware and software).
I've had an Android phone for most of year now - never had a problem with it until I loaded CyanogenMod, and even the one problem I have had is relatively minor and easily worked around.
Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
Sorry but that argument is lame and totally inappropriate. Google drop the ball on this one. If an application needs to transfer sensitive information back to a server then the application should ensure that it is done securely. It is bad practice to assume that the path to the server is secure.
Why are we only taking Wifi into account? I remember a while back talk about an exploit in GSM that allowed femtocells to eavesdrop on a cellphone's transmissions. Don't assume that wifi is the only weak link.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
None of those are remote exploits for in-box software.
You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.
Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.
I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.
I8-D
I thought we had all learned this lesson a long time ago -- Encrypted data BEFORE it leaves your computer, especially when connecting via untrusted WIFI.
Android > Wireless And Network settings > VPN Settings > Add VPN.
"Yeah, but it's difficult to set up my own VPN. What about computer illiterate users?"
"You expect my grandma to do this?"
No. I don't care about anyone else's competency or security. Use VPN or only SSL websites on untrusted WIFI or face the consequences.
This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.
Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?
Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage a compromised gmail account can cause.
Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.
Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.
When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?
Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.
That's the voice recognition software working for her. Try disabling voice dialing.
I used to use voice stuff until I sneezed while driving and discovered my phone thought I said father and dialed him.
From then on I refuse to use Voice activated features as none of them actually work right in the real world. They use quarter or half samples of pick up key phrases and hash those for speed however because of the compression/ judging that they use for hashes there is huge number of items that "sound alike"
i thought once I was found, but it was only a dream.
I think they should just abstract away the hardware-specific components. There's a great deal of code that is purely unrelated to hardware components that could be be separated and updated OTA by Google.