Android Phone Tips

Android Phone Tips
Google has plugged an Android hole that could have allowed someone to snoop on an unencrypted Wi-Fi network and access calendar and contact data on the smartphones. Basically, the fix forces all Android devices to connect to Google Calendar and Contacts servers over https (Hyper Text Transfer Protocol Secure) so that someone snooping on an unprotected wireless network won't be able to grab authentication tokens used by the operating system to validate devices. 

Google is in the process of updating its Android operating system to fix an issue that is believed to have left millions of smartphones and tablets vulnerable to personal data leaks."We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesman said in a statement. The flaw affected 99.7% of all Android smartphones and was not limited to Google Calendar and contacts, "but is theoretically feasible with all Google services," the University of Ulm said.

"For instance, the adversary can gain full access to the calendar, contacts information or private Web albums of the respective Google user," the Ulm researchers said. Google said Wednesday that it has fixed a security glitch that reportedly opened up 99 percent of Android-based devices to a security breach.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson told PCMag. ClientLogin is used to verify users' identity on Android apps, and it saves the authentication data (authToken) for up to two weeks. Further, the attack is not limited to GoogleCalendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."

Called a "silent fix," a Google spokesperson said all users will get the update automatically. Researchers from the University of Ulm have found that all Android versions 2.3.3 or older - which constitute 99.7 percent of Android phones currently in use - are vulnerable to data thefts over unencrypted Wi-Fi. However, Android 3.0 and 2.3.4 are exempted from such attacks.

To use Google services, an installed app requests an auth code or token from Client Login to gain access to the service. The app then makes a ClientLogin call to Google's authorization service seeking an authorization token (authToken). The app then uses the auth token to request data access from a Google service. An impersonator can gain access and manipulate personal data like Google Calendar, Contacts and Picassa Album.

The hacker then waits for Android phones with default settings to connect to the Wi-Fi and siphons off the authTokens requested for various Google services. Android users can secure themselves from such attacks by either upgrading their Android versions to Android 2.3.4 or by switching automatic syncing with open Wi-Fi networks. The researcher tested the attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps.

Google explains the ClientLogin process by citing an example of an installed application that communicates with Google Calendar. Google states: "To accomplish this, you need to get access to a user's Calendar account. Before you can access the account, you need to request authorization from Google. Once you've been successfully authorized and received a token, you can access your user's Calendar data, referencing the token in each request."
By. Android Phone Tips

Friday, May 27, 2011 | 0 comments | Labels: , ,


Post a Comment