99pc of Android phones leak secret info, researchers claim

17 May 2011

Some 99pc of Android devices are vulnerable to attacks that could let hackers get their hands on users’ digital credentials such as contacts, calendar info and other sensitive data that ends up stored on Google’s servers, researchers at the University of Ulm have discovered.

It is understood that the weakness’ exists because of an improper implementation of an authentication protocol known as ClientLogin in Android 2.3.3 and earlier. In other words any Android user that hasn’t upgraded to Gingerbread (2.3.4).

Because few Android devices have Gingerbread at this point, the researchers conclude 99pc of Android devices in the marketplace are vulnerable to attack.

According to researchers from the university of Ulm after a user submits valid credentials for Google calendar, contacts and other accounts the programming interface receives an authentication token that sends it in Cleartext.

Because the authToken can be used up to 14 days in subsequent requests, hackers can exploit them to get unauthorised access to users’ accounts.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers wrote in their blog. “The short answer is: Yes, it is possible, and it is quite easy to do so,” they said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com