May 17, 2011 | by Chris Smith
A team of German researchers has just discovered that around 99.7% of Android devices on the market today have a security vulnerability. This vulnerability happens over unencrypted networks where the device’s Google services ‘authToken’ can be accessed. The problem can be found in versions of Android up to 2.3.3 and according to Google the newest version 2.3.4 patches it.
Android applications can acquire a security token from the ClientLogin authorization process. This token (known as authToken) is then passed back to the device and with its presence the device is authorized to make changes to the user’s Google account. The problem is that this authToken can then be sent from other applications, unencrypted allowing for the authToken to be “sniffed” and stolen over an open WiFi network. The authToken is valid for a whole 2 weeks and is not bound to any specific device, service, or session. Therefore once the token is taken, a “hacker” could potentially steal, modify, or erase the user’s Google contact and calendar data.
If you remember the whole Facebook / Firesheep problem late last year, this Android dillema is very close to it.
Now, I won’t try to produce mass hysteria and say that everyone should get rid of their Android device, but what I will say is that if you are concerned about your data, make sure that you don’t use your Android device on unsecured, public networks. Also, it’s nice to see that Google is responding quickly to this saying that version 2.3.4 fixes the dilemma, but with Android devices shipping to sellers with Android 2.2 still installed, I’m wary to think that this will roll out to any device that has been on the market for over a year.
I’m very surprised that this data hasn’t come out sooner considering that almost 100% of Android devices are effected by it. I have to say that these German researchers did a good job analyzing this data and finding the root cause.
So, if you are out and about with your Android device and on open WiFi networks from time to time you may want to turn your WiFi radio off.
Google has announced that it is making an update that will patch the security issues on the server side. More information can be found at PC World.