Mobile security is quickly becoming a hot topic as iOS and other platforms came under fire for tracking users' location, although that was quickly patched by Apple. Now, reports from the Register state that 99% of Android phones are vulnerable to being exploited and exposing users account credentials.
The report states that there is a vulnerability because of "improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier." This vulnerability opens up accounts for as long as 14 days and could allow anyone who acquires the tokens to take control of your account. The Register states:
After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
Even more damaging is how easily this exploit can be used in the real world. By setting up a WiFi network, a users tokens could be acquired and the accounts compromised. The report states:
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing
This security exploit should raise concern for end users. It is recommended that, on Android, to always use encrypted WiFi to maintain data security. Another issue is that for Google to patch the exploit, they have to push a patch out to the device. The problem arises that carriers have been slow to roll out updates for devices, which means that this vulnerability could remain in the wild for some time.
39 Comments - Add comment