Swiped Tokens Expose Android Devices To Data Theft

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

Doesn't sound like Android is that relevant

[Anonymous Coward]

Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?

Re:

[drpimp]

I agreed whole heartedly, but the difference is with Android apps it's virtually transparent whether you are connecting to a HTTP/S connection. At least with a browser, people are trained to look for "the lock", so even if they are connecting to an unsecured wifi spot, their HTTPS connections are safer (sans MITM and other vectors) than an HTTP connection over unsecured wifi.

Solution: Wrap your Android in aluminum foil...

[digitaldc]

...and turn off Wi-Fi. Don't let your 'smartphone' become a 'dumbphone'

Only use it for emergencies and throwing angry birds.

Just update your phone.

[Random2]

As it says in TFA:

"The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."

So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.

Re:

[thePowerOfGrayskull]

And don't install apps that need access to the network, since you don't have the ability to veto them on a per-connection basis* . (Or don't use unencrypted wifi, which may be a more practical answer.)

* unlike BB, which gives you very fine grained control over the connections each application makes -- if you take the time to use it.

Re:Just update your phone.

[delinear]

If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.

Silver Lining

[ThatsNotPudding]

If Google had any guts, they would push out updates without the greedy, trogliditic carriers involvement, using the unassailabe justification of security.

Of course in retaliation, the a-hole carriers would suddenly switch to Bing even on Android devices.

Re:Silver Lining

[cecom]

Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.

Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.

When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?

Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.

Re:

[vinng86]

I think they should just abstract away the hardware-specific components. There's a great deal of code that is purely unrelated to hardware components that could be be separated and updated OTA by Google.

Re:

[HAKdragon]

I could be wrong, but I believe that Microsoft has a minimum spec that handset manufacturers have to meet for them to be granted a license for Windows Phone 7.

Re:

[drinkypoo]

Google can't be in the position of having to personally support every phone. Sure, they could probably do it TODAY, but it puts them in a poor position in the future.

Oh yeah?

[Kamiza Ikioi]

You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.

Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.

I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.

Re:

[h4rr4r]

Unlucky?
You bought the phone knowing this would happen, and you call yourself unlucky?

I have a motorola Droid 1 running 2.3.3 and will be running 2.3.4 as soon as CM7.1 hits RC.

Re:

[Bill_the_Engineer]

I agree that luck may not be involved when it comes to actually rooting your phone. However, there is some luck with getting reliable service from your phone after it is rooted. I had issues with my previous phone after I rooted it. The problems outweighed any possible advantages so when I got my replacement phone, I decided against rooting it.

I am glad that your luck is better than mine.

Re:

[h4rr4r]

Rooting the phone does not impact service in anyway. The hardware and software used for that is not even related.

Hell, you can always flash a backup anyway.

Re:

[Bill_the_Engineer]

Rooting the phone does not impact service in anyway.

Sure if you don't count force close and spontaneous reboot.

Re:

[h4rr4r]

That has nothing to do with rooting it. All rooting does is gaining root permissions. That will not cause this issue. Perhaps what you are installing afterwards is doing that.

Lots of things you can do with root could cause that, but not just having root.

Re:

[Zebedeu]

You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol.

Any of the Nexus devices. Do I get a cookie now?

I don't blame android, but I sure as hell won't ever buy Motorola again.

Actually I blame you and everyone who I see complaining on forums. It was an acceptable thing to feel betrayed by the manufacturer one or two years ago when Android devices first started coming out and the promises of openness weren't fulfilled, but nowadays you'd really have to make almost no research before buying your smartphone in order to not know the situation with the updates.

If everyone who complains on the internet had instead made that research and g

Re:Oh yeah?

[iluvcapra]

One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.

Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments [thisismynext.com]. These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.

I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.

We were promised it would be unlocked!

[Kamiza Ikioi]

Considering I bought it... oh, over a year ago when it was released, you contradict yourself. I Besides, We were promised it would be an unlockable bootloader! [pocketnow.com]

I have every damn right to be mad. FTA: "This follows Motorola's earlier statement that it is 'working closely with our partners to offer a bootloader solution that will enable developers to use our devices as a development platform.'"

So, for calling me a whiner... stick it up your ass, my friend.

BTW, if Google had a clue how to sell a phone through

Re:

[Zebedeu]

Considering I bought it... oh, over a year ago when it was released, you contradict yourself.

When you bought the Droid X the Nexus One was already available. It might have been possible that the Nexus S was already rumoured (can't remember, or bother to check).
Besides, it was already known that it was coming with a locked bootloader. Hell you bought the device with the most draconian bootloader lock at the time, and now you're complaining.

Besides, We were promised it would be an unlockable bootloader! [pocketnow.com]

Did you read your link? End of 2011. I don't know how you could've missed it, it's in the title!
(It's now early/middle 2011, you do know that, right?)

I have every damn right to be mad.

No you don't. I remember clearly the issue with the locked bootloader being all over the web before the device even hit the stores. At the time it was clear for anyone who spent more than 2 minutes researching that if you wanted an open device you'd either have to go with the Nexus One, or one of the popular HTC devices which somehow had a community of hackers around them.

BTW, if Google had a clue how to sell a phone through popular carrier channels to begin with instead of their stupid web-store experiment, I would have gotten one.

Ah, so now it's Google's fault... *eyeroll*

Face it, you made a bad decision one year ago, either because you didn't bother to inform yourself properly, or because you liked so much that particular phone that you thought it outweighed its faults.

Now you regret that decision, but can't face the fact that it's all on your shoulders. It is your prerogative to be an informed consumer -- it helps you and it helps everyone else.

Anyway, this isn't about you. You could be stuck with a 1995 Nokia for all I care. What pisses me off is that you basically validated Motorola's anti-consumer strategies and then come whining when they bite you in the ass.

And yes, it's clear to anyone that you're whining, and insulting me won't help your case.

Re:

[shutdown -p now]

If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes

In the US, at least, the problem are operators. When Nexus One came out, you couldn't buy it with a contract, only full price; and it took them ages to release an AT&T-compatible version. Nexus S you can have on T-Mobile and Sprint - again, no AT&T nor Verizon. Depending on where one lives, this may be a deal-breaker.

Re:

[Zebedeu]

Really? I haven't seen Google support a phone for more than 1.5 years to date. Right now they have issued three phones under their brand:

The original devices Google was selling were developer devices: they weren't targeted at consumers, so I don't think they carried the same support expectations. Oh, and by the way, there were two of them, which makes for a total of four Google phones to date.
In any case, the hardware in those devices wouldn't have been able to run Android 2.x in any usable manner. Believe me, my first Android phone had pretty similar hardware to those developer devices and I tried Android 2.2 on it. Unusable.

That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.

I agree that it

Re:

[Rich0]

The original devices Google was selling were developer devices: they weren't targeted at consumers, so I don't think they carried the same support expectations.

The original ADP was identical hardware-wise to the G1, which was a consumer device. The G1 had no better support than the ADP. If the G1 wasn't at least reasonably successful there might never have been an N1.

In any case, the hardware in those devices wouldn't have been able to run Android 2.x in any usable manner. Believe me, my first Android phone had pretty similar hardware to those developer devices and I tried Android 2.2 on it. Unusable.

I own a G1, and with a recent radio which frees up 16MB or RAM it actually is usable with 2.2. Granted, it is limited.

However, I don't consider that a valid excuse for Google abandoning their initial platform in 1.5 year's time. They could have backported whatever enhancements they could have to t

Re:

[ElKry]

N1 - last update issued about 1.5 years after first sale (maybe it is 1.75).
NS - last update issued about 2 months after first sale.

That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.

N1 has had constant OTA updates since it was launched - in fact, it was updated to 2.3.4 about two weeks ago.
NS, exactly the same, some times getting releases some weeks before N1.

So... did you just not bother looking for it, or are you intentionally spreading FUD?

Re:

[Kamiza Ikioi]

Actually, that's the correct answer! I just don't like the iPhone. But I have to give them all credit for regular updates, even to an old 3G I keep around as a music player.

Re:

[Kamiza Ikioi]

I will suck your dick... [youtube.com] - MacGruber

Looks like I'll be looking for a leaked version. :D

Re:

[Belial6]

I love my Android phones, but suggesting that people upgrade their OS is simply not a realistic answer. Vendor locking means that the vendor decides when you upgrade. And rooting is not the answer for the majority of users either.

Re:

[blair1q]

Nexus One phones on T-Mobile got the 2.3.4 update a couple of weeks ago.

Re:

[ElKry]

Not just on T-Mobile, on any carrier. The carrier doesn't provide the updates, google does.

Re:

[h4rr4r]

Really?
CM7.1 nightlies seem available on many phones.

And?

[thePowerOfGrayskull]

And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.

Re:

[psydeshow]

What kind of idiot uses unencrypted WiFi on their phones these days?

Any idiot who wanders into range of an unencrypted WiFi access point with the same SSID as one of their trusted, encrypted access points.

It's not like your phone is going to be all "Hey, why isn't this network encrypted anymore?" and refuse to connect, or even bring it to your attention.

Re:

[chemicaldave]

I don't know about that. Mine has a "Notify me when an open network is available" option.

Re:

[gknoy]

Interesting. How can I configure it not to do that?

Re:

[TheNinjaroach]

What kind of idiots implement token based authentication over unencrypted HTTP streams?

Re:

[Rich0]

Agreed.

Google should simply run all authentication over https, period. Wifi just makes the problem obvious, but even wired ethernet is vulnerable to sniffing, etc.

At some point non-SSL http should be EOL'ed. There should be two standards - https with trusted certificate (shows padlock), and https without a trusted certificate (treated like http is treated today and does not show padlock). That will eliminate the need for everybody to have a trusted certificate chain, but will cut out all the passive atta

Re:

[thePowerOfGrayskull]

While I agree, this goes beyond that. The specific google components are only one piece; the wider problem here is that when you're allowing a smartphone to connect to *any* network (especially if it's Android or iPhone; but by default BlackBerry too - you have to go out of your way to configure paranoid connection mode), you don't know what your apps are doing. You don't know what servers they're connecting to, what protocol they're using, what data they're sending, or to whom they're sending it to(but th

Re:

[thetartanavenger]

Any "idiot" that doesn't have a data plan yet still wants to use their phone in public places. Seriously, how is this different from using a laptop on public wifi. It comes with risks... And you can know what is being transmitted, just because you don't know how, again, same with laptops...

Re:

[thePowerOfGrayskull]

I responded to similar questions in this thread, and won't be retyping. Laptops at least have firewalls; and further you have the option of public/private network behavior on modern Windows versions such that you can be certain that apps you don't want talking over public wifi won't be talking.

Alright, let's say an app exists for monitoring traffic (and I don't know that it does for all phone platforms) - but once the traffic is sent, it's too late. You can't know what is being sent until it's sent; a

Re:

[thePowerOfGrayskull]

When I don't know and can't control what data is going in and out of my device? No, of course I don't. Does that mean you actually do let your phone use unencrypted wifi hotspots?

Why not do even better?

[bogaboga]

Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

Re:

[savanik]

Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

Because in order to eliminate the risk entirely, you will have to shoot the user in the head. They are the largest security risk in any scenario. Requiring encryption won't eliminate your mom from handing you the already logged-in device to troubleshoot it for her.

Firesheep?

[dido]

Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

Re:

[psydeshow]

Yes, but the point is that with these apps, you don't really have a choice. They connect to Google services in the background, using unencrypted channels. The end user doesn't realize that this is the case.

Re:Firesheep?

[jeffmeden]

Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage [gawker.com] a compromised gmail account can cause.

VPN? VPN.

[VortexCortex]

When abroad with my laptop/phone/tablet I use open unencrypted wifi, but I tunnel all of my data through an encrypted VPN connection to my home network, then out from there. Thus, the jag-off running "ssl-strip" or "script-kiddie sheep" on the local LAN can see only my encrypted stream even if the sites I visit are not using SSL.

I thought we had all learned this lesson a long time ago -- Encrypted data BEFORE it leaves your computer, especially when connecting via untrusted WIFI.

Android > Wireless And Network settings > VPN Settings > Add VPN.

"Yeah, but it's difficult to set up my own VPN. What about computer illiterate users?"
"You expect my grandma to do this?"

No. I don't care about anyone else's competency or security. Use VPN or only SSL websites on untrusted WIFI or face the consequences.

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

Re:

[drinkypoo]

Actually, it's pretty easy to set up IPSEC on Windows... at least on Windows 2000 or later, and Pro or better. Using a cert is kind of annoying but using PSK is simple enough.

Re:

[Bill_the_Engineer]

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

So is this advice for the user or the creator of the API that sends these nuggets of information from the device?

Re:

[Belial6]

In theory you are right. Setting up a home VPN in trivial. Just buy one of the many routers that support it out of the box. Buffalo even sells routers with official support for DD-WRT. Sutting up VPN consists basically of putting in your username and password. For the large part of the population with dynamic DNS, most routers also support DynamicDNS services. If people can figure out how to sign up for Facebook, they can figure out how to sign up for DynamicDNS. My problem is that currently the VPN

Re:

[Rich0]

Also - the native VPN client in Android (as far as I have been able to tell) has a few other issues:

1. If the VPN isn't up, it just sends out traffic over the direct interface. All it takes is one packet with your token in it to leak your token - 98% VPN coverage just isn't good enough. If I want a VPN, then I don't want traffic to go out in the clear unless I explicitly acknowledge a message asking me about this.

2. I can't find any setting that lets me make the VPN the default route. There is the open

Re:

[Belial6]

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

Sorry to respond to the same post twice, but I just noticed this gem. Most people don't know "shit" about what is in the very walls of their house. They don't know "shit" about electricity, and they don't know "shit" about combustion engines. If people left things alone that they didn't know "shit" about, they would all literally be living in caves like animals. If even that.

Well

[drolli]

I dont use the "sync to google" functions anyway. Was always too scary to me.

Re:Cloud and Google

[Anonymous Coward]

Please. This is abhorrent fear-mongering.

This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.

Re:Cloud and Google

[jeffmeden]

While it is fear-mongering, it is hardly as trivial as the Facebook hacks of yore. For one, there is no way to enable/require SSL for these tokens (at least in plain sight). Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

Therefore, if you have an Android phone you basically better never use WiFi at less than WPA2 grade encryption unless you want to risk your email and other services being compromised, period, end of story, no workaround.

I can only hope that thanks to the openness of Android, someone can code an app that allows for more granular control of what services are connecting at any given time, to at least give those with a clue the ability to stay safe when using open wifi.

Re:

[h4rr4r]

Sure there is, don't support unencrypted wireless on the devices.

Re:

[vajorie]

You missed this part:

turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...

Re:

[asdf7890]

You need to not use wireless at all in that case, aside from known trusted networks that you are sure contain only trusted clients. Unless you are using WPA-Enterprise all clients on the same AP are using the same encryption key so can decode each others packets (intercepted simply by putting your network adaptor into promiscuous mode) easily.

So public wireless is a no-no even if it is not working "plain" (no authentication/encryption), and private wireless is out too unless you have audited every device

Re:

[datapharmer]

Seems like it would be easy enough to require ssl for the tokens... can you explain why google couldn't just make this possible via an update? Alternatively they could provide an option to turn off sync when wifi is unsecured.

Re:

[arkhan_jg]

Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

Well, going to 'settings' -> 'accounts & sync' and turning off 'background data' would do it. Then nothing in the accounts and sync page (google calendar, contacts, facebook, exchange etc etc) will be silent syncing in the background on your untrusted network. A lot of third party apps also follow that setting, so it should pretty much kill off all unsolicited

Re:Cloud and Google

[mpicker0]

Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?

Re:

[tepples]

Who is stupid enough to connect to an unsecured wireless connection

Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.

with their personal cellular device?

There isn't much of a difference between a "smartphone" and a "laptop" anymore except for size. Tethering and USB 3G modems have turned laptops into "personal cellular devices". (If you disagree, we may have run into a definition problem [google.com].)

Re:

[exomondo]

Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.

And this is why there should be no such thing as 'unsecured wireless', all wireless should be secured even if it is with a default password of 'password'.

WPA has been hacked to deauth

[tepples]

all wireless should be secured even if it is with a default password of 'password'.

WEP with a well-known password has the same vulnerability to passive Firesheep-type attacks as open Wi-Fi. Even WPA is vulnerable to an active attack that forces a deauth [wifinetnews.com] and then snoops the pairwise transient key on reauth. WPA+PEAP is less vulnerable because the handshake takes place over TLS.

Re:

[exomondo]

WEP with a well-known password has the same vulnerability to passive Firesheep-type attacks as open Wi-Fi.

WEP is not secure, we've known this for a long time.

Even WPA is vulnerable to an active attack that forces a deauth [wifinetnews.com] and then snoops the pairwise transient key on reauth. WPA+PEAP is less vulnerable because the handshake takes place over TLS.

And either choice is a hell of a lot better than open, unencrypted wifi, hence my suggestion.

Re:

[micheas]

As long as you don't send the information out on the internet sure. Otherwise the unsecured wifi section is the LEAST hostile part of the journey. If you care about what is sent from your computer use ssl or equivalent.

If you use telnet. ftp, and/or authenticated http over the internet, WPA/WEP is moot, one of the hops that has glass in and out on the way to your final destination will take your username password combo and log it for future use.

Your WPA+PEAP is still going through third party networks, ma

Re:

[exomondo]

As long as you don't send the information out on the internet sure.

No, not at all, it's exactly as i said that having encrypted wifi will *always* be more secure than unencrypted wifi, everything beyond that is irrelevant because it is exactly the same in both cases.
If you want to be captain obvious and say all traffic should be encrypted you go right ahead.

Re:

[Bill_the_Engineer]

Sorry but that argument is lame and totally inappropriate. Google drop the ball on this one. If an application needs to transfer sensitive information back to a server then the application should ensure that it is done securely. It is bad practice to assume that the path to the server is secure.

Why are we only taking Wifi into account? I remember a while back talk about an exploit in GSM that allowed femtocells to eavesdrop on a cellphone's transmissions. Don't assume that wifi is the only weak link.

Re:

[jeffmeden]

Given that someone can't sit next to me at Starbucks, or even in my driveway, and pick up packets off the wire and decode them, yes it is a LOT more worrying that this happens in the air as opposed to it being possible at all. I mean, how often did your PPP dialup and POP3 password get exploited for being transferred in cleartext? Sure, in a perfect world every single endpoint would have a major CA signed cert, and SSL/TLS would wrap every single packet on the internet. Until we get there, I will start m

Re:

[micheas]

But if the encryption is end to end, the air is moot.

The large sniffers are not next to you at starbucks, they are in the datacenter within 200ft of you POP to the internet.

Encrypted wifi for internet access is strictly for access control and has nothing to do with keeping data secure.

Re:

[peragrin]

Oddly enough MSFT used a similar term when security experts started telling everyone that activeX is bad and not to use it. MSFT called it fear mongering.

10 years later we are still cleaning up the mess that activeX made of the Internet.

Re:

[shutdown -p now]

Android does make it very easy to send your private data "to the cloud", though. For example, the configuration wizard (which opens when you first turn on the phone) asks if you want to "back up data to the cloud" - a simple checkbox. If you do that, it'll back up, among other things, all your WiFi keys...

Re:

[mehrotra.akash]

A shiny,insecure UI will always be more popular than a Plain,secure one

Re:

[Bill_the_Engineer]

Which one is which?

Re:

[mehrotra.akash]

Android vs Blackberry

or the old s60 could be considered as being somewhere in between

Re:

[Bill_the_Engineer]

What about Blackberry's Android? ;P

Re:

[peragrin]

No Shiny is more important than plain.

the problem is securing things is hard, and in the end should be nearly invisible to the end user.

Shiny is is to show a CEO that you actually accomplished something today.

Re:

[clang_jangle]

See? Retards...

Re:

[TheGratefulNet]

google is harming their own rep and they don't even care. or they are too big to stop it.

over the weekend I bought my first android tablet. I didn't expect much as it was a $100 frys special...

the hardware vendor did not care about quality. cardboard chads were stuck under the resistive touch screen and you could see and feel bumps as you moved your finger over. horrible! they released product like that.

worse, the pad went into an annoying crash/reboot cycle. I went into one gui screen, tried to chang

AOSP Android vs. OHA Android

[tepples]

it does speak to google that they are so lax with the vendors.

There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.

Re:

[Ender_Stonebender]

You bought a tablet at a price point where you could expect a dog's breakfast, and you're surprised that you got one? I fail to understand what you think is wrong with the world here. There are always going to be hardware makers that are willing to put out shoddy (and possibly knock-off) products at super-discount prices.

I suspect that you bought the tablet on the self-fulfilling prophecy "Android is terrible, even this cheap tablet can't do anything properly!" Next time, either spend 10 minutes playing

Re:

[element-o.p.]

What do you expect? If you release software and allow independent vendors to install your software on their hardware, you will get a wide range of products, from cheap and shoddy to pretty darned nice. If you only want to shell out $100 for a tablet, well, you get what you pay for. OTOH, I have a $450 Dell Streak 7 that I'm reasonably happy with. Fit and finish are pretty nice, the screen is sharp and clear, and the tablet works pretty well. There are a few apps that work fine on my HTC Hero but won't

Re:

[flibuste]

apple is evil, its true; but at least they ensure a reasonable experience on their tablet. it

This is just as wrong as the FA. How can you compare a 700$ tablet with a 100$ one? It's great that you allow yourself some Android bashing / Apple loving, but at least try to be a *little* fair.

I bough a XOOM (same price as the IPad) hoping it would not be too crappy. Well, guess what. It works like a CHARM, just as well as the IPad I tried before, maybe even better since it is way more flexible. And oh well, I

Re:

[Skuld-Chan]

If they are too open - China releases crappy products using a bunch of reference code. If they lock it down so they control the release cycle more the zealots come out and decry Google for not being open enough.

Is there any middle ground? Keep in mind - any released code from Google no matter what the license - China will steal.

Re:

[npsimons]

My friend has a verizon Droid which has made random calls and sent random texts since new.

And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly. My anecdote cancels yours out. Perhaps your friend's problems are with Verizon or Motorola? Both have been known to screw customers over, and shoddy products and service from them wouldn't surprise me. Also, if it's really an Android problem, file a bug report. Bitching on slashdot won't do anything.

PS - I've got mod points, but decided to respon

Re:

[willoughby]

And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly.

Does that include the GPS? I just returned one yesterday because the GPS wouldn't work.

Re:

[Bill_the_Engineer]

Ditto. However the replacement myTouch 4G hasn't given me any problems yet.

Re:

[clang_jangle]

Or you could unjustifiably assuming things. I've been in the room when her Droid was on the table with no-one anywhere near it and it called me. :P

Re:

[clang_jangle]

Speaking of Android concerns there's also the swiftness with which posts like the one I made above get modded "troll". Seems to me there's big google money being spent on astroturfers, or perhaps Taco and Co have signed a special contract...

Re:

[Samalie]

It is the constant battle between the Fandroids and the iCult.

God forbid anyone speaks truth about your platform of choice.

Re:

[clang_jangle]

Um, you forgot the rest of us. You know, slashdotters who aren't irrational, flaming, fanbois? We're probably the majority, too.

Re:

[peragrin]

That's the voice recognition software working for her. Try disabling voice dialing.

I used to use voice stuff until I sneezed while driving and discovered my phone thought I said father and dialed him.

From then on I refuse to use Voice activated features as none of them actually work right in the real world. They use quarter or half samples of pick up key phrases and hash those for speed however because of the compression/ judging that they use for hashes there is huge number of items that "sound alike"

Re:

[ekhben]

Shrug, goodbye karma, but my iPhone's voice recognition does pretty well. Needs you to tell it to listen, repeats what it's going to do before it does it so you can cancel when it does get it wrong.

100% success rate for the number I call most often, probably around three quarters successful for the other numbers I very infrequently call - so maybe it just seems good to me because of the specific circumstances I use it in.

Re:

[clang_jangle]

You really are old enough to should know better than to try that hoary, ancient troll. Maybe if you learn more about how linux systems work you'll get over the delusion that the only thing wrong with windows security is "it's too popular".

Re:

[Samalie]

Well no, of course Windows is loaded with potential exploits.

The problem is...so is OSX and Linux.

But Windows does take the majority of exploits out there. Two reasons really:
Market Share
Technical Savvy of Users

The average Windoes user is, well....stupid. And no, I'm not saying that to all you admins and shit out there...but Windows is the bastion of the average masses...they buy a PC from xxxxx that has Windows pre-installed and they just keep using it. They don't understand fuck all about computers, an

Re:

[PitaBred]

Yes, just like their archiving of your location data keeps you more secure... Apple [wired.com] is [mobilecrunch.com] totally [reuters.com] perfect [arstechnica.com], right? They wouldn't EVER let anything unknown or an app that did more than it said into the app store [iphonetutorialvideos.com], right?

This is simply an implementation flaw. Shit like that happens on ANY system. It's just that with open systems you actually learn about it. Are you SURE that you know all the security weaknesses in your iProduct? Are you sure Apple is telling you everything? How can you be?

Re:

[Graham J - XVI]

None of those are remote exploits for in-box software.

Re:

[element-o.p.]

How is this a "OMG -- Linux is inherently insecure!!!" argument? The developer of software on a Linux platform is stupidly passing clear-text, confidential data across a WiFi connection. Guess what? If you set up a POP3 e-mail account on an Apple product with no encryption on your user name and password between you and the e-mail server, then try to connect to your POP3 e-mail on a shared network (for example, through an Ethernet hub), you'll be able to sniff those credentials, too. Did Apple

Re:

[Cajun Hell]

If you actually feel insecure about your abilities as a designer/programmer for secure systems, then you're probably 10x better than the people who actually make the stuff everyone uses. ;-)

Rule 7: use Android, not Google services

[Cajun Hell]

Google makes a decent (not great, but decent) OS, so use that. But for fuck's sake, don't use it for what they want you to use it for.