The Register® — Biting the hand that feeds IT

Feeds

99% of Android phones leak secret account credentials

'Impersonation attacks' target Google services

By Dan Goodin, 16th May 2011
  • print
  • alert

Agentless Backup is Not a Myth

The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university's Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”

The findings build off previous findings of Rice University professor Dan Wallach, who in February uncovered similar Android privacy shortcomings affecting Twitter, Facebook, and Google Calendar during a simple exercise for his undergraduate security class. The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots.

Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google's own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-called sidejacking exploits that steal authentication cookies.

A Google spokesman said the company's Android team is aware of the Picasa deficiencies and is working on a fix.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub warned that the weaknesses could be used against people who use their Android devices on networks under the control of an attacker.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. A more robust authentication protocol known as oAuth will also close the authToken capture vulnerability, although https should still be used to prevent synced data from being intercepted.

The researchers also suggested Google improve its security by shortening the length of time authTokens are valid and rejecting ClientLogin requests from insecure http connections.

With more than 99 percent of carriers offering their users Android versions with known security weaknesses, the report demonstrates how little success Google has had in getting its partners to upgrade to the latest versions. Many Verizon Wireless customers, for instance, remain stuck with Android 2.2.2, despite containing vulnerabilities that have been known about for months.

Last week, Google said it planned to work more closely with wireless carriers in an attempt to help them offer Android updates more quickly. The company has yet to offer details.

A Verizon spokeswoman told The Register she couldn't say when the company will provide customers with an updated version of Android. She said users should consider using their devices only on secured networks. ®

This article was updated to add comment from Verizon and to make clear weaknesses in Twitter and Facebook applications were discovered by Wallach.

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (79)
Highly Rated
John Robson

cyanogen

Aftermarket firmware is the only way to get upgrades in a timely fashion.

Carriers don't care - you're already paying

Manufacturers don't care - they want to sell you a new phone

11
0
Andy Watt

"should use unsecured networks"?

This is _exactly_ the kind of thing which will turn android into "windows for phones". High volume, and a lucklustre and throwaway attitude to security.

It's the same reasoning which has left the "install whatever the hell I want" switch in the settings menu.

If the industry doesn't wake up Apple will wipe them all out - not due to a single issue like this, but because, again and again, the fragmented players who exist in the android space won't play ball with each other, or google, and google won't play with them either.

It's the perfect environment for exploitable security holes to flourish, for multiple platforms and specifications to befuddle application developers and result in lowest common denominator applications using the oldest API available for maximum compatibility... a whole host of issues stemming from Google's management of the android experiment (let's face it, they're still in beta as usual).

I hope the ice cream sandwich they're planning unifies and places some strictures or some god-awful vulnerability across the entire platform will result in a global bollock-up of PSN proportions.

8
1
The Fuzzy Wotnot
Reply Icon

The clash of Geek and User!

You have to remember that while you may remember all that or even do that kind of thing day-in day-out, most people want a phone to work like their car, TV or fridge. Switch it on and use it as per manual, they do not want an appliance to have to require 6 weeks of evening college to understand.

The last time my dishwasher conk out I didn't bother getting the Zanussi service manual and pulling the back, I was paying for extended warranty so I called up whomever it was I paid, told them the problem and they sent a bloke out within 4 hours to fix it, job done. Same with PCs, phones, cable TV recievers, fridge, cars, a lot of us have other priorities in our lives so we pay for the convenience of someone else to fix stuff when it's broke. It may be odd to some, but that's the way life works today.

6
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17