Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swiped Tokens Expose Android Devices To Data Theft

Posted by CmdrTaco on from the swipe-the-leg dept.

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

14 of 162 comments (clear)

  1. Re:Cloud and Google by Anonymous Coward · · Score: 4, Insightful

    Please. This is abhorrent fear-mongering.

    This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.

  2. Doesn't sound like Android is that relevant by Anonymous Coward · · Score: 5, Insightful

    Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?

  3. Re:Cloud and Google by jeffmeden · · Score: 4, Informative

    While it is fear-mongering, it is hardly as trivial as the Facebook hacks of yore. For one, there is no way to enable/require SSL for these tokens (at least in plain sight). Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

    Therefore, if you have an Android phone you basically better never use WiFi at less than WPA2 grade encryption unless you want to risk your email and other services being compromised, period, end of story, no workaround.

    I can only hope that thanks to the openness of Android, someone can code an app that allows for more granular control of what services are connecting at any given time, to at least give those with a clue the ability to stay safe when using open wifi.

  4. Just update your phone. by Random2 · · Score: 3, Informative

    As it says in TFA:

    "The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."

    So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
    1. Re:Just update your phone. by delinear · · Score: 5, Insightful

      If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.

  5. Re:Cloud and Google by TheGratefulNet · · Score: 3, Interesting

    google is harming their own rep and they don't even care. or they are too big to stop it.

    over the weekend I bought my first android tablet. I didn't expect much as it was a $100 frys special...

    the hardware vendor did not care about quality. cardboard chads were stuck under the resistive touch screen and you could see and feel bumps as you moved your finger over. horrible! they released product like that.

    worse, the pad went into an annoying crash/reboot cycle. I went into one gui screen, tried to change some values and it crashed/rebooted. I was just configuring something, not even USING the damned tablet.

    apple is evil, its true; but at least they ensure a reasonable experience on their tablet. its hella expensive and locked down, but at least they don't ship product with junk under the screen and with glaring showstopper bugs.

    I know you can blame the vendor for shoddy hw and sw quality, but it does speak to google that they are so lax with the vendors. a bit of tighter control would have benefited them. the fragmentation is also a fall-out of their lack of management on the android platform.

    android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).

    --

    --
    "It is now safe to switch off your computer."
  6. Re:Cloud and Google by vajorie · · Score: 3, Insightful
    You missed this part:

    turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

    I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...

  7. Re:Cloud and Google by mpicker0 · · Score: 4, Insightful

    Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?

  8. And? by thePowerOfGrayskull · · Score: 3, Insightful

    And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.

  9. AOSP Android vs. OHA Android by tepples · · Score: 5, Informative

    it does speak to google that they are so lax with the vendors.

    There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.

  10. Oh yeah? by Kamiza+Ikioi · · Score: 4, Interesting

    You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.

    Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.

    I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.

    --
    I8-D
    1. Re:Oh yeah? by iluvcapra · · Score: 3, Insightful

      One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.

      Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments. These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.

      I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.

      --
      Don't blame me, I voted for Baltar.
  11. Re:Firesheep? by jeffmeden · · Score: 3, Insightful

    Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?

    Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage a compromised gmail account can cause.

  12. Re:Silver Lining by cecom · · Score: 3, Informative

    Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.

    Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.

    When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?

    Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.