Forgot your password?
typodupeerror
Android Security IT

Swiped Tokens Expose Android Devices To Data Theft 162

Posted by CmdrTaco
from the swipe-the-leg dept.
tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."
This discussion has been archived. No new comments can be posted.

Swiped Tokens Expose Android Devices To Data Theft

Comments Filter:
  • by Anonymous Coward on Tuesday May 17, 2011 @12:15PM (#36154790)

    Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?

    • by drpimp (900837)
      I agreed whole heartedly, but the difference is with Android apps it's virtually transparent whether you are connecting to a HTTP/S connection. At least with a browser, people are trained to look for "the lock", so even if they are connecting to an unsecured wifi spot, their HTTPS connections are safer (sans MITM and other vectors) than an HTTP connection over unsecured wifi.
  • by digitaldc (879047) * on Tuesday May 17, 2011 @12:18PM (#36154842)
    ...and turn off Wi-Fi. Don't let your 'smartphone' become a 'dumbphone'

    Only use it for emergencies and throwing angry birds.
  • by Random2 (1412773) on Tuesday May 17, 2011 @12:19PM (#36154860) Journal

    As it says in TFA:

    "The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."

    So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.

    • And don't install apps that need access to the network, since you don't have the ability to veto them on a per-connection basis* . (Or don't use unencrypted wifi, which may be a more practical answer.)

      * unlike BB, which gives you very fine grained control over the connections each application makes -- if you take the time to use it.

    • by delinear (991444) on Tuesday May 17, 2011 @12:41PM (#36155184)
      If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.
      • If Google had any guts, they would push out updates without the greedy, trogliditic carriers involvement, using the unassailabe justification of security.

        Of course in retaliation, the a-hole carriers would suddenly switch to Bing even on Android devices.
        • Re:Silver Lining (Score:4, Informative)

          by cecom (698048) on Tuesday May 17, 2011 @01:53PM (#36156410) Homepage Journal

          Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.

          Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.

          When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?

          Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.

          • by vinng86 (1978262)
            I think they should just abstract away the hardware-specific components. There's a great deal of code that is purely unrelated to hardware components that could be be separated and updated OTA by Google.
      • by drinkypoo (153816)

        Google can't be in the position of having to personally support every phone. Sure, they could probably do it TODAY, but it puts them in a poor position in the future.

    • Oh yeah? (Score:5, Interesting)

      by Kamiza Ikioi (893310) on Tuesday May 17, 2011 @01:08PM (#36155606) Homepage

      You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.

      Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.

      I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.

      • by h4rr4r (612664)

        Unlucky?
        You bought the phone knowing this would happen, and you call yourself unlucky?

        I have a motorola Droid 1 running 2.3.3 and will be running 2.3.4 as soon as CM7.1 hits RC.

        • I agree that luck may not be involved when it comes to actually rooting your phone. However, there is some luck with getting reliable service from your phone after it is rooted. I had issues with my previous phone after I rooted it. The problems outweighed any possible advantages so when I got my replacement phone, I decided against rooting it.

          I am glad that your luck is better than mine.

          • by h4rr4r (612664)

            Rooting the phone does not impact service in anyway. The hardware and software used for that is not even related.

            Hell, you can always flash a backup anyway.

            • Rooting the phone does not impact service in anyway.

              Sure if you don't count force close and spontaneous reboot.

              • by h4rr4r (612664)

                That has nothing to do with rooting it. All rooting does is gaining root permissions. That will not cause this issue. Perhaps what you are installing afterwards is doing that.

                Lots of things you can do with root could cause that, but not just having root.

      • by Zebedeu (739988)

        You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol.

        Any of the Nexus devices. Do I get a cookie now?

        I don't blame android, but I sure as hell won't ever buy Motorola again.

        Actually I blame you and everyone who I see complaining on forums. It was an acceptable thing to feel betrayed by the manufacturer one or two years ago when Android devices first started coming out and the promises of openness weren't fulfilled, but nowadays you'd really have to make almost no research before buying your smartphone in order to not know the situation with the updates.

        If everyone who complains on the internet had instead made that research and g

        • Re:Oh yeah? (Score:4, Insightful)

          by iluvcapra (782887) on Tuesday May 17, 2011 @03:02PM (#36157400)

          One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.

          Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments [thisismynext.com]. These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.

          I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.

        • Considering I bought it... oh, over a year ago when it was released, you contradict yourself. I Besides, We were promised it would be an unlockable bootloader! [pocketnow.com]

          I have every damn right to be mad. FTA: "This follows Motorola's earlier statement that it is 'working closely with our partners to offer a bootloader solution that will enable developers to use our devices as a development platform.'"

          So, for calling me a whiner... stick it up your ass, my friend.

          BTW, if Google had a clue how to sell a phone through

          • by Zebedeu (739988)

            Considering I bought it... oh, over a year ago when it was released, you contradict yourself.

            When you bought the Droid X the Nexus One was already available. It might have been possible that the Nexus S was already rumoured (can't remember, or bother to check).
            Besides, it was already known that it was coming with a locked bootloader. Hell you bought the device with the most draconian bootloader lock at the time, and now you're complaining.

            Did you read your link? End of 2011. I don't know how you could've missed it, it's in the title!
            (It's now early/middle 2011, you do know that, right?)

            I have every damn right to be mad.

            No you don't. I remember clearly the issue with the locked bootloader being all over the web before the device even hit the stores. At the time it was clear for anyone who spent more than 2 minutes researching that if you wanted an open device you'd either have to go with the Nexus One, or one of the popular HTC devices which somehow had a community of hackers around them.

            BTW, if Google had a clue how to sell a phone through popular carrier channels to begin with instead of their stupid web-store experiment, I would have gotten one.

            Ah, so now it's Google's fault... *eyeroll*

            Face it, you made a bad decision one year ago, either because you didn't bother to inform yourself properly, or because you liked so much that particular phone that you thought it outweighed its faults.

            Now you regret that decision, but can't face the fact that it's all on your shoulders. It is your prerogative to be an informed consumer -- it helps you and it helps everyone else.

            Anyway, this isn't about you. You could be stuck with a 1995 Nokia for all I care. What pisses me off is that you basically validated Motorola's anti-consumer strategies and then come whining when they bite you in the ass.

            And yes, it's clear to anyone that you're whining, and insulting me won't help your case.

        • If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes

          In the US, at least, the problem are operators. When Nexus One came out, you couldn't buy it with a contract, only full price; and it took them ages to release an AT&T-compatible version. Nexus S you can have on T-Mobile and Sprint - again, no AT&T nor Verizon. Depending on where one lives, this may be a deal-breaker.

    • by Belial6 (794905)
      I love my Android phones, but suggesting that people upgrade their OS is simply not a realistic answer. Vendor locking means that the vendor decides when you upgrade. And rooting is not the answer for the majority of users either.
    • by blair1q (305137)

      Nexus One phones on T-Mobile got the 2.3.4 update a couple of weeks ago.

      • by ElKry (1544795)

        Not just on T-Mobile, on any carrier. The carrier doesn't provide the updates, google does.

  • And? (Score:4, Insightful)

    by thePowerOfGrayskull (905905) <marc.paradise@NOSpaM.gmail.com> on Tuesday May 17, 2011 @12:37PM (#36155122) Homepage Journal
    And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.
    • by psydeshow (154300)

      What kind of idiot uses unencrypted WiFi on their phones these days?

      Any idiot who wanders into range of an unencrypted WiFi access point with the same SSID as one of their trusted, encrypted access points.

      It's not like your phone is going to be all "Hey, why isn't this network encrypted anymore?" and refuse to connect, or even bring it to your attention.

    • What kind of idiots implement token based authentication over unencrypted HTTP streams?
      • by Rich0 (548339)

        Agreed.

        Google should simply run all authentication over https, period. Wifi just makes the problem obvious, but even wired ethernet is vulnerable to sniffing, etc.

        At some point non-SSL http should be EOL'ed. There should be two standards - https with trusted certificate (shows padlock), and https without a trusted certificate (treated like http is treated today and does not show padlock). That will eliminate the need for everybody to have a trusted certificate chain, but will cut out all the passive atta

      • While I agree, this goes beyond that. The specific google components are only one piece; the wider problem here is that when you're allowing a smartphone to connect to *any* network (especially if it's Android or iPhone; but by default BlackBerry too - you have to go out of your way to configure paranoid connection mode), you don't know what your apps are doing. You don't know what servers they're connecting to, what protocol they're using, what data they're sending, or to whom they're sending it to(but th
    • Any "idiot" that doesn't have a data plan yet still wants to use their phone in public places. Seriously, how is this different from using a laptop on public wifi. It comes with risks... And you can know what is being transmitted, just because you don't know how, again, same with laptops...
      • I responded to similar questions in this thread, and won't be retyping. Laptops at least have firewalls; and further you have the option of public/private network behavior on modern Windows versions such that you can be certain that apps you don't want talking over public wifi won't be talking.

        Alright, let's say an app exists for monitoring traffic (and I don't know that it does for all phone platforms) - but once the traffic is sent, it's too late. You can't know what is being sent until it's sent; a

  • Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

    Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

    • by savanik (1090193)

      Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

      Because in order to eliminate the risk entirely, you will have to shoot the user in the head. They are the largest security risk in any scenario. Requiring encryption won't eliminate your mom from handing you the already logged-in device to troubleshoot it for her.

  • by dido (9125)

    Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

    • by psydeshow (154300)

      Yes, but the point is that with these apps, you don't really have a choice. They connect to Google services in the background, using unencrypted channels. The end user doesn't realize that this is the case.

    • Re:Firesheep? (Score:4, Insightful)

      by jeffmeden (135043) on Tuesday May 17, 2011 @01:41PM (#36156182) Homepage Journal

      Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

      Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage [gawker.com] a compromised gmail account can cause.

  • by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Tuesday May 17, 2011 @01:26PM (#36155902)
    When abroad with my laptop/phone/tablet I use open unencrypted wifi, but I tunnel all of my data through an encrypted VPN connection to my home network, then out from there. Thus, the jag-off running "ssl-strip" or "script-kiddie sheep" on the local LAN can see only my encrypted stream even if the sites I visit are not using SSL.

    I thought we had all learned this lesson a long time ago -- Encrypted data BEFORE it leaves your computer, especially when connecting via untrusted WIFI.

    Android > Wireless And Network settings > VPN Settings > Add VPN.

    "Yeah, but it's difficult to set up my own VPN. What about computer illiterate users?"
    "You expect my grandma to do this?"

    No. I don't care about anyone else's competency or security. Use VPN or only SSL websites on untrusted WIFI or face the consequences.

    This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

    • by drinkypoo (153816)

      Actually, it's pretty easy to set up IPSEC on Windows... at least on Windows 2000 or later, and Pro or better. Using a cert is kind of annoying but using PSK is simple enough.

    • This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

      So is this advice for the user or the creator of the API that sends these nuggets of information from the device?

    • by Belial6 (794905)
      In theory you are right. Setting up a home VPN in trivial. Just buy one of the many routers that support it out of the box. Buffalo even sells routers with official support for DD-WRT. Sutting up VPN consists basically of putting in your username and password. For the large part of the population with dynamic DNS, most routers also support DynamicDNS services. If people can figure out how to sign up for Facebook, they can figure out how to sign up for DynamicDNS. My problem is that currently the VPN
      • by Rich0 (548339)

        Also - the native VPN client in Android (as far as I have been able to tell) has a few other issues:

        1. If the VPN isn't up, it just sends out traffic over the direct interface. All it takes is one packet with your token in it to leak your token - 98% VPN coverage just isn't good enough. If I want a VPN, then I don't want traffic to go out in the clear unless I explicitly acknowledge a message asking me about this.

        2. I can't find any setting that lets me make the VPN the default route. There is the open

    • by Belial6 (794905)

      This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

      Sorry to respond to the same post twice, but I just noticed this gem. Most people don't know "shit" about what is in the very walls of their house. They don't know "shit" about electricity, and they don't know "shit" about combustion engines. If people left things alone that they didn't know "shit" about, they would all literally be living in caves like animals. If even that.

  • by drolli (522659)

    I dont use the "sync to google" functions anyway. Was always too scary to me.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...