German researchers have discovered that 99.7 percent of Android smartphones on the market are vulnerable to a security exploit that could give hackers access to calendars, contact information and even private web albums.
I picked up an Android-powered HTC smartphone a couple weeks ago and let me tell you, it is awesome. But according to a group of researchers at Ulm University in Germany, it’s also vulnerable to a relatively simple but potentially devastating exploit thanks to apps that transmit data “in the clear,” including not just third-party software but also Google’s own Calendar app. Eavesdroppers, it turns out, can access this information and use it to access a wide range of Google services.
“ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via an HTTPS connection,” the report explained. “Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API.”
Through this exploit, hackers can not just view a user’s calendar, contacts and web albums but actually modify or delete all the information contained within. The Google Calendar and Contacts sync began using secure HTTPS connections to transmit data with Android version 2.3.4 but the Picasa synchronization still uses HTTP and thus remains vulnerable. Furthermore, the report says, “this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS.”
A Google representative told Eurogamer that the company knows about the problem and is in the process of correcting it. “We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa,” the rep said.
On the upside, this security hole doesn’t appear to expose Android users to the sort of “one fell swoop” attack like the one that brought down the PlayStation Network, but on a less optimistic note the report claims that as of May 2, 99.7 percent of all Android phones are affected by the security flaw. Fortunately, it also has a few suggestions for protecting yourself against eavesdroppers: upgrade to the latest version of Android as soon as possible, switch off automatic syncing when connecting to open Wifi networks, set your device to forget open networks you’ve previously connected to and, if possible, just don’t use affected apps on open WiFi networks.
