Swiped Tokens Expose Android Devices To Data Theft

← Back to Stories (view on slashdot.org)

Swiped Tokens Expose Android Devices To Data Theft

Posted by CmdrTaco on Tuesday May 17, 2011 @04:07AM from the swipe-the-leg dept.

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

3 of 162 comments (clear)

Min score:

Reason:

Sort:

Doesn't sound like Android is that relevant by Anonymous Coward · 2011-05-17 04:15 · Score: 5, Insightful

Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?
Re:Just update your phone. by delinear · 2011-05-17 04:41 · Score: 5, Insightful

If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.
AOSP Android vs. OHA Android by tepples · 2011-05-17 04:43 · Score: 5, Informative

it does speak to google that they are so lax with the vendors.
There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.