Google has admitted that it is working on a second attempt to fix an Android security hole that could see usernames and passwords for Google Calendar, Facebook, Twitter, Picasa and other services stolen and used by third-parties. Researchers from the University of Ulm in Germany discovered that Android has been using cleartext authentication tokens containing login credentials valid for up to fourteen days; they could be intercepted if the Android device was connected via an unencrypted WiFi network, and the details extracted and used to gain unofficial access to the accounts.
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” the researcher team suggests. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
Google apparently addressed the flaw for the most part in Android 2.3.4, though Picasa still uses the cleartext method. The search giant says its engineers are currently working on a fix. However, that leaves the vast majority of Android devices unprotected; a quick glance at the latest platform stats shows that the bulk of phones are running versions susceptible to the loophole.
Apps using ClientLogin should switch to encrypted, https channels the researchers suggest, and the spread of oAuth support should help reduce the potential for data theft. However, right now Google and carriers can only suggest that Android users be cautious how they connect; a Verizon spokesperson said the carrier’s subscribers should consider avoiding unsecured WiFi networks.
[via The Register]