Android’s Personal Data Leakage Problem

I own an Android. You own an Android. Heaps of people own Androids. But apparently 99 per cent of them can be easily attacked, every time we log into a website on an unsecured network.

This is according to researchers at the University of Ulm, in Germany, who found that any phones running a version of Android prior to 2.3.3 are vulnerable to an attack thanks to a weak ClientLogin authentication protocol. Any time an Android user signs into a service such as Twitter, Facebook or a new Google account, the authToken information is stored for 14 days, and accessible if you know how to go about it, claim the researchers:

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks…With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

The team feigned an attack, and found it was “quite easy to do so”. Gulp. The reason 99 per cent of the Android handsets in existence are said to be vulnerable to such an attack? It’s because any phone not running Android 2.3.4, which Google released a few weeks ago, hasn’t had the security hole patched yet.

While a fix from Google would solve this problem, Android users are recommended to only use ClientLogin on https sites for now. [Uni-Ulm via The Register]


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.