99% of Android phones vulnerable to account exploit

Mobile security is quickly becoming a hot topic as iOS and other platforms came under fire for tracking users' location, although that was quickly patched by Apple. Now, reports from the Register state that 99% of Android phones are vulnerable to being exploited and exposing users account credentials.

The report states that there is a vulnerability because of "improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier." This vulnerability opens up accounts for as long as 14 days and could allow anyone who acquires the tokens to take control of your account. The Register states:

After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

Even more damaging is how easily this exploit can be used in the real world. By setting up a WiFi network, a users tokens could be acquired and the accounts compromised. The report states:

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing

This security exploit should raise concern for end users. It is recommended that, on Android, to always use encrypted WiFi to maintain data security. Another issue is that for Google to patch the exploit, they have to push a patch out to the device. The problem arises that carriers have been slow to roll out updates for devices, which means that this vulnerability could remain in the wild for some time.

Report a problem with article
Previous Story

China's Army to release its own version of America's Army game

Next Story

First Dead Island in-game trailer released

39 Comments

View more comments

d4v1d05 said,
You had me until "The Register" then I couldn't read any more. That place is more tabloidy than The Sun...

You aren't going to survive in the world as an objective thinker unless you can expose yourself to biased information and still find the truth hiding in it.

Luckily, I do not use any of the aforementioned accounts to get the vulnerability. So, not so scary for me, I guess. But nevertheless, still not good. More worried about the carriers having to push the update. That is the really bad part.

The last part is so true with android. I wish there was some kind of android update (akin to windows update) for patches like this to be released without having to wait for the carrier who may never release the patch.

Magallanes said,
absurd.

Many websites send their username and password as plain-text. Example :Neowin.

Can't really compare to that seeing as you have to type it in a press enter/login. What this article is talking about is a phone connecting to a network without asking you, then sending your auth tokens without any user interaction as well.

As I mentioned in another comment, this could happen to you walking down the street without you even knowing it.

DomZ said,

Can't really compare to that seeing as you have to type it in a press enter/login. What this article is talking about is a phone connecting to a network without asking you, then sending your auth tokens without any user interaction as well.

As I mentioned in another comment, this could happen to you walking down the street without you even knowing it.

I've replied to your other comment below, so I won't do it again here.

As for you having to press enter/login for Neowin etc., that's not totally true. What happens if you set Neowin to remember your details so that it logs you in automatically. It stores an authorisation cookie on your computer (token), which gets transmitted with every HTTP request to the website. This cookie/token is readable by anyone sniffing your network traffic, and allows them to impersonate you.

Why are most sites, especially BBC News, telling us that "users should update"? There simply isn't any updates! It's up to the phone brands like HTC/Samsung to get it out so it's out of our control.

Let the law suits come....

Yea, an update may be hard do to the carriers not releasing them in a timely manner. However, hopefully what Google is doing will make this easier.

giggsey said,
Breaking News

Unprotected networks allow other people to snoop on unencrypted traffic.

+1. This is not exactly an issue if you are careful about what you are doing and don't just connect to any old unencrypted network. Lots of websites send tokens in the clear.

giggsey said,
Breaking News

Unprotected networks allow other people to snoop on unencrypted traffic.

I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

iOS prompts you to choose a network, I'm assuming this is what the later Android versions do which is why they're not vulnerable?

DomZ said,
I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

Yeah HTC Incredible user here who has used both Sense and AOSP roms, my phone hasn't auto-connected to any open wifi spots and I'd be ****ed if it did. It gives you a notification, however, that open wireless hotspots are in the area but it does NOT autoconnect.

However, that is just AOSP and Sense roms. I have no idea about Samsung or other manufacturers. But this is why I told my mom to use her Verizon dataplan on her netbook to connect and use confidential files. At least on Verizon it's much harder to snoop.

DomZ said,

I think the issue is the Android versions in question will automatically connect to these networks, and services automatically sync - so this could happen to you while walking down the street without even knowing (or turning off wifi/some other settings).

iOS prompts you to choose a network, I'm assuming this is what the later Android versions do which is why they're not vulnerable?

As OrangeFTW said, it provides you with a notification that there is an open wireless network around. It only automatically connects to networks that you have connected to before, and set to automatically connect to.

Hurricane Andrew said,
That's why I tend to not use unencrypted public wi-fi unless I absolutely have to. What don't people get about the "unencrypted" part?

What would be the point of using encrypted public WiFi? Everyone who has the encryption key can see your stuff, and if it's public, well then lots have it. The key should be not to use any internet service that carries private/confidential information, while on a public network, when the website has no encryption of its own (SSL, TLS)

Sraf said,

What would be the point of using encrypted public WiFi? Everyone who has the encryption key can see your stuff, and if it's public, well then lots have it. The key should be not to use any internet service that carries private/confidential information, while on a public network, when the website has no encryption of its own (SSL, TLS)

Even if the password is known, everyone gets their own key that encrypts the data between the user and the access point. No one can sniff someone else's connection.

DrDrrae said,
Even if the password is known, everyone gets their own key that encrypts the data between the user and the access point. No one can sniff someone else's connection.

My mistake

Too bad the carriers couldnt be skipped, they are slowing everyone down in android and wp7, holding month old updates back, making updates not really updates anymore...

Hope this is false, or hope google can do something if it is true...

Subject Delta said,
I don't use my phone on unencrypted networks so I am not all that bothered by this.

Same here. Just using it on my OWN router, which is encrypted anyway.
Oh, and I'm on 2.3.4 ...

Using CM7.1 RC, based on Android 2.3.4, on a droid Eris. Good thing I didn't rely on HTC or Verizon to keep my phone up to date! They both tossed the eris out the window after 6 only months.

I'm glad I got rid of my 2 Motorola Droid's from Verizon, they said that every phone on their network exept the Motorola Zoom is still at Froyo! God bless my new AT&T Apple IPhone 3GS!

Luckily I keep WiFi off other than when I'm at home, when it automatically connects to my WiFi network. If my accounts get stolen at least I know it's one of my neighbours

Commenting is disabled on this article.