Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Escapist logo header image

Serious Security Flaw Plagues Android Phones

This article is over 13 years old and may contain outdated information
image

German researchers have discovered that 99.7 percent of Android smartphones on the market are vulnerable to a security exploit that could give hackers access to calendars, contact information and even private web albums.

I picked up an Android-powered HTC smartphone a couple weeks ago and let me tell you, it is awesome. But according to a group of researchers at Ulm University in Germany, it’s also vulnerable to a relatively simple but potentially devastating exploit thanks to apps that transmit data “in the clear,” including not just third-party software but also Google’s own Calendar app. Eavesdroppers, it turns out, can access this information and use it to access a wide range of Google services.

“ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via an HTTPS connection,” the report explained. “Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API.”

Through this exploit, hackers can not just view a user’s calendar, contacts and web albums but actually modify or delete all the information contained within. The Google Calendar and Contacts sync began using secure HTTPS connections to transmit data with Android version 2.3.4 but the Picasa synchronization still uses HTTP and thus remains vulnerable. Furthermore, the report says, “this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS.”

A Google representative told Eurogamer that the company knows about the problem and is in the process of correcting it. “We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa,” the rep said.

On the upside, this security hole doesn’t appear to expose Android users to the sort of “one fell swoop” attack like the one that brought down the PlayStation Network, but on a less optimistic note the report claims that as of May 2, 99.7 percent of all Android phones are affected by the security flaw. Fortunately, it also has a few suggestions for protecting yourself against eavesdroppers: upgrade to the latest version of Android as soon as possible, switch off automatic syncing when connecting to open Wifi networks, set your device to forget open networks you’ve previously connected to and, if possible, just don’t use affected apps on open WiFi networks.

Recommended Videos

The Escapist is supported by our audience. When you purchase through links on our site, we may earn a small affiliate commission.Ā Learn more about our Affiliate Policy
Author