99% of Android phones vulnerable to account exploit

Mobile security is quickly becoming a hot topic as iOS and other platforms came under fire for tracking users' location, although that was quickly patched by Apple. Now, reports from the Register state that 99% of Android phones are vulnerable to being exploited and exposing users account credentials.

The report states that there is a vulnerability because of "improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier." This vulnerability opens up accounts for as long as 14 days and could allow anyone who acquires the tokens to take control of your account. The Register states:

After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

Even more damaging is how easily this exploit can be used in the real world. By setting up a WiFi network, a users tokens could be acquired and the accounts compromised. The report states:

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing

This security exploit should raise concern for end users. It is recommended that, on Android, to always use encrypted WiFi to maintain data security. Another issue is that for Google to patch the exploit, they have to push a patch out to the device. The problem arises that carriers have been slow to roll out updates for devices, which means that this vulnerability could remain in the wild for some time.

Report a problem with article
Previous Story

China's Army to release its own version of America's Army game

Next Story

First Dead Island in-game trailer released

39 Comments

Commenting is disabled on this article.

Luckily I keep WiFi off other than when I'm at home, when it automatically connects to my WiFi network. If my accounts get stolen at least I know it's one of my neighbours

I'm glad I got rid of my 2 Motorola Droid's from Verizon, they said that every phone on their network exept the Motorola Zoom is still at Froyo! God bless my new AT&T Apple IPhone 3GS!

Using CM7.1 RC, based on Android 2.3.4, on a droid Eris. Good thing I didn't rely on HTC or Verizon to keep my phone up to date! They both tossed the eris out the window after 6 only months.

Too bad the carriers couldnt be skipped, they are slowing everyone down in android and wp7, holding month old updates back, making updates not really updates anymore...

Hope this is false, or hope google can do something if it is true...

Hurricane Andrew said,
That's why I tend to not use unencrypted public wi-fi unless I absolutely have to. What don't people get about the "unencrypted" part?

What would be the point of using encrypted public WiFi? Everyone who has the encryption key can see your stuff, and if it's public, well then lots have it. The key should be not to use any internet service that carries private/confidential information, while on a public network, when the website has no encryption of its own (SSL, TLS)

Sraf said,

What would be the point of using encrypted public WiFi? Everyone who has the encryption key can see your stuff, and if it's public, well then lots have it. The key should be not to use any internet service that carries private/confidential information, while on a public network, when the website has no encryption of its own (SSL, TLS)

Even if the password is known, everyone gets their own key that encrypts the data between the user and the access point. No one can sniff someone else's connection.

DrDrrae said,
Even if the password is known, everyone gets their own key that encrypts the data between the user and the access point. No one can sniff someone else's connection.

My mistake

giggsey said,
Breaking News

Unprotected networks allow other people to snoop on unencrypted traffic.

+1. This is not exactly an issue if you are careful about what you are doing and don't just connect to any old unencrypted network. Lots of websites send tokens in the clear.

giggsey said,
Breaking News

Unprotected networks allow other people to snoop on unencrypted traffic.

I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

iOS prompts you to choose a network, I'm assuming this is what the later Android versions do which is why they're not vulnerable?

DomZ said,
I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

Yeah HTC Incredible user here who has used both Sense and AOSP roms, my phone hasn't auto-connected to any open wifi spots and I'd be ****ed if it did. It gives you a notification, however, that open wireless hotspots are in the area but it does NOT autoconnect.

However, that is just AOSP and Sense roms. I have no idea about Samsung or other manufacturers. But this is why I told my mom to use her Verizon dataplan on her netbook to connect and use confidential files. At least on Verizon it's much harder to snoop.

DomZ said,

I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

iOS prompts you to choose a network, I'm assuming this is what the later Android versions do which is why they're not vulnerable?

As OrangeFTW said, it provides you with a notification that there is an open wireless network around. It only automatically connects to networks that you have connected to before, and set to automatically connect to.

Let the law suits come....

Yea, an update may be hard do to the carriers not releasing them in a timely manner. However, hopefully what Google is doing will make this easier.

Why are most sites, especially BBC News, telling us that "users should update"? There simply isn't any updates! It's up to the phone brands like HTC/Samsung to get it out so it's out of our control.

Magallanes said,
absurd.

Many websites send their username and password as plain-text. Example :Neowin.

Can't really compare to that seeing as you have to type it in a press enter/login. What this article is talking about is a phone connecting to a network without asking you, then sending your auth tokens without any user interaction as well.

As I mentioned in another comment, this could happen to you walking down the street without you even knowing it.

DomZ said,

Can't really compare to that seeing as you have to type it in a press enter/login. What this article is talking about is a phone connecting to a network without asking you, then sending your auth tokens without any user interaction as well.

As I mentioned in another comment, this could happen to you walking down the street without you even knowing it.

I've replied to your other comment below, so I won't do it again here.

As for you having to press enter/login for Neowin etc., that's not totally true. What happens if you set Neowin to remember your details so that it logs you in automatically. It stores an authorisation cookie on your computer (token), which gets transmitted with every HTTP request to the website. This cookie/token is readable by anyone sniffing your network traffic, and allows them to impersonate you.

The last part is so true with android. I wish there was some kind of android update (akin to windows update) for patches like this to be released without having to wait for the carrier who may never release the patch.

Luckily, I do not use any of the aforementioned accounts to get the vulnerability. So, not so scary for me, I guess. But nevertheless, still not good. More worried about the carriers having to push the update. That is the really bad part.

d4v1d05 said,
You had me until "The Register" then I couldn't read any more. That place is more tabloidy than The Sun...

Gotta love people who cannot do a SEARCH and see that The Register is not the only site reporting this. Also got to love people who dont realize that The Reg is legit info and they just put a sarcastic/funny spin. Its not a tabloid site or anything like The Onion.

d4v1d05 said,
You had me until "The Register" then I couldn't read any more. That place is more tabloidy than The Sun...

You aren't going to survive in the world as an objective thinker unless you can expose yourself to biased information and still find the truth hiding in it.

I have to love how Google says they are trying to save people from Windows with Chrome OS (and obviously Android too), but encounter many of the same issues that Microsoft had during its XP era.

It's not as easy as it looks to create a largely used operating system, especially when it becomes so big that it's subject to most of the attacks.

Hercules said,
I have to love how Google says they are trying to save people from Windows with Chrome OS (and obviously Android too), but encounter many of the same issues that Microsoft had during its XP era.

It's not as easy as it looks to create a largely used operating system, especially when it becomes so big that it's subject to most of the attacks.

Don't you mean adapt? Last I checked Android was built on-top of Linux. Google deserves some credit but not 100%.

Shadrack said,

Don't you mean adapt? Last I checked Android was built on-top of Linux. Google deserves some credit but not 100%.

create: to cause to come into existence

source: dictionary.reference.com

I feel like saying that Google didn't create Android is like saying that you can't create new recipes because you are just rearranging old ingredients to make something new.

Digitalx said,
no problem bring on 2.3.5 not to mention sooner it's known the better... this will be fixed by 3.1's release.
.
but all the currently existing devices running these versions will not recieve 3.1

Digitalx said,
no problem bring on 2.3.5 not to mention sooner it's known the better... this will be fixed by 3.1's release.

v2.3.4 doesn't have this issue, this makes me one of those 1% who are safe

ramik said,

v2.3.4 doesn't have this issue, this makes me one of those 1% who are safe

well if 2.3.4 isn't affected then no problem.

but all the currently existing devices running these versions will not recieve 3.1

Well put 2.3.4 on which will unless it's ancient and not rooted in which case - own fault, take control of your device.

Digitalx said,

Well put 2.3.4 on which will unless it's ancient and not rooted in which case - own fault, take control of your device.

Wanna know how I know you're a n00b?

/you do not get magical fairy dust access to new releases of Android by rooting
//derp

Joshie said,

Wanna know how I know you're a n00b?

/you do not get magical fairy dust access to new releases of Android by rooting
//derp

Waiting the official ROM update from HTC and Motorola is likely longer than waiting for a new smartphone with more recent firmware.

computerchan said,

Waiting the official ROM update from HTC and Motorola is likely longer than waiting for a new smartphone with more recent firmware.

If you're implying that unofficial custom firmware with all the latest updates from Google is nothing more than a trip to XDA away, you're just kidding yourself. Again, rooting is not a magic carpet ride to bleeding edge land. It's primarily a way to get free wireless tether and remove stock applications, and secondarily a way to install modified Android builds based on what was released...by the vendors. Not Google.

Joshie said,

Wanna know how I know you're a n00b?

/you do not get magical fairy dust access to new releases of Android by rooting
//derp

O_o I had 2.3.4 the day it went final public build. If other people can't do this and get hit with the security issue at hand then that's their fault for not keeping up to date. So you're obviously a bit noob not understanding how baked roms work on rooted devices. Maybe some people need to learn how AOSP and roms work...