Swiped Tokens Expose Android Devices To Data Theft

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

Re:Cloud and Google

[Anonymous Coward]

Please. This is abhorrent fear-mongering.

This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.

Doesn't sound like Android is that relevant

[Anonymous Coward]

Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?

Re:Cloud and Google

[mehrotra.akash]

A shiny,insecure UI will always be more popular than a Plain,secure one

Re:Cloud and Google

[vajorie]

You missed this part:

turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...

Re:Cloud and Google

[mpicker0]

Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?

And?

[thePowerOfGrayskull]

And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.

Re:Just update your phone.

[delinear]

If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.

Re:Cloud and Google

[Bill_the_Engineer]

Sorry but that argument is lame and totally inappropriate. Google drop the ball on this one. If an application needs to transfer sensitive information back to a server then the application should ensure that it is done securely. It is bad practice to assume that the path to the server is secure.

Why are we only taking Wifi into account? I remember a while back talk about an exploit in GSM that allowed femtocells to eavesdrop on a cellphone's transmissions. Don't assume that wifi is the only weak link.

Re:Firesheep?

[jeffmeden]

Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage [gawker.com] a compromised gmail account can cause.

Re:Oh yeah?

[iluvcapra]

One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.

Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments [thisismynext.com]. These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.

I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.