99% of Android handsets vulnerable to account credential theft

By Andrew Munchbach on May 17, 2011 at 9:21 AM

mobile May 17, 2011 at 9:21 AM

A report filed by UK publication The Register details a scary weakness in most Android handsets currently being sold. The aforementioned vulnerability would allow attackers to collect and use digital tokens stored on a handset after a user authenticates to a password protected service. “The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier,” reads the report, quoting research from the University of Ulm. “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.” Google has issued a patch for the ClientLogin protocol with Android 2.3.4 and Android 3.0, but, as The Register points out, only 1% of Android devices are currently running the updated code.

What’s scary is how easy and effortless the exploit can be. “To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” reported researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

Google has yet to issue an official comment on the matter.

Read

Tags:: 2.3.3, 2.3.4, 3.0, Android, Google, Login, Security, Token, Update, Vulnerability, Wi-Fi

101 Comments

Anonymous

Who the hell tries to authenticate anything on an open unsecured WiFi network? You deserve this if you do.

This is basically a non-issue for anyone with half a brain.

ChaChaCha

I agree.. This is definitely an issue but not something Im worrying about.. I’ve never connected to an open wifi with my iPhone, laptop or android device. Its just that iFanboys have something to latch onto for a few days and they need to blow this up as much as possible. I wouldn’t be surprised if the iPhone does the same thing.

Anonymous

No bro your wrong. EVERYONE has a phone and many want the cool Smartphones like my parents and, no, I don’t expect them to understand “open unsecured wifi”, “authentication”, “malware”, etc. While I agree educating these folks is necessary, the “Bad Guys” are loving the less tech savy crowd. Dont be selfish, think of the “little guy”;)

Anonymous

Isn’t this more of an indictment of the OEMs and the carriers, rather than Android? The custom overlays and the way the carriers take their sweet time in releasing upgrades (no money in upgrades, so whhy rush?) means that there is a meaningful delay between when patches are made available and when (if ever) they are distributed to the end user.

I apologize for providing a reasonable point of view and now return you to your regularly scheduled, asinine, and generally pointless flame war.

Bringit

But that is a basic and persistent problem with the Android model. Less control equals less control.

Jermajesty

This is probably not Android specific. Facebook, Twitter, and webmail systems have been shown to have this same security flaw on open WiFi networks months ago. A Firefox extension called FireSheep would read these plain text tokens over open WiFi networks and automatically log you in as the stolen identity. Gmail, Yahoo, and Live now login using SSL while Facebook and Twitter do not. Great research they do at the University of Ulm. of Ulm.
BerryKing

All fagdorids morons got what they deserved! Icrap and fagdroids phones are THE WORST in security! For some reason I don’t see RIM in this anywhere! Whether its about collecting data without the user knowing or having these basic vulnerabilities! I guess RIM’s OS is very good at not putting out its users info’s! Which is WAY more important than having stupid Angry birds on it! Fuckin morons!! LOL

Anonymous

That’s because RIM does not make news and oh wait, who is RIM? RIM is one step out the door and even the “bad guys” know that;)

KingBerry

see! U are one of the morons i was talking about! if i was u, i would worry about someone getting my BGR account password! lolllll Dumb fuck!
Anonymous

And what?.. Are you threatening?

http://twitter.com/mashryock Mark Shryock

It seems I keep hearing about security flaws but I never hear of anyone actually exploiting them. At least this is from a University and not a Security firm that happens to sell security software.
Booboolala2000

The problem has been fixed by Google, it now lies with the carriers to update their customers handsets. Plus I have lte and don’t cheapskate on my unlimited data, sopublic wifi is for poor people with iphones.
http://theiphonefever.blogspot.com/ Michael Schwartz

This article is FUD. It’s either from Facebook’s admitted smear campaign or Apple’s.

The exact same things said here are so general that they apply to any
operating system, starting with Windows 7 and ending with iOS.

Speaking of iOS security: goo gl 3Wtr8

And btw, what this article says can be compared to:

-french fries are the only unhealthy food because they are cooked in oil

-mercedes is the most unfriendly company to the environment because their cars run on gas.

FUD WTF!
Anonymous

Nothing to see here….
Anonymous

This just in : 99% of cell phone users are likely to get ball cancer
Anonymous

WHA……………?????????????? You mean connecting to an unsecured, strange wifi hotspot can put me at risk???

NO WAY!!!!
Anonymous

Sweet! Google already released a patch to fix this. I should receive it on my phone about 8 months from now. No worries all!
Ralph Jones

What the article fails to mention is that no services or apps seem to be using the ClientLogin API. OAuth doesn’t seem to be vulnerable to this. And after a bit of searching, I’m not finding any apps that are using ClientLogin over OAuth.
RD

One of the many reasons I’m glad I have a blackberry torch and not an android (nor iphone).

Anonymous

Oh Man the horror of using that phone!!

BerryKing

The horror of seing morons like u spreading false facts about RIMs phone! AND the horror of seing your existence! you sound bad and unintelligent and probably look like you sound! Lol! plain ugly just like the freakin fagdroid mascot! get lost!
Anonymous

Awww did I pinch a nerve you fag. No I am pretty like the Sweet Apple logo. Come on you want to go back and forth with your name calling like a little girl or handle it like a man? Please calling someone ugly. That’s what I would expect of my daughter. Lol
BerryKing

The worst is that shes right! lol
BerryKing

@mplaisance:disqus the apple logo is just a stupid apple that some dumb douche took a bite in it! its straight ass ugly and its roting! The worst of all for u, is that your daughter is right! you are ugly! loll hopefully she tookher beauty from her moms side! or maybe your wife had her with another man and you cant even see that! how pathetic! Get yourself a Blackberry! maybe it will make you feel more important and less of an icrap! lollll

Droidman101

ERRRR….and the idiot buzzers sound…you need to be rooted with a pretty shitty rom for this to happen.
Anonymous

Granted. I raised that point to counter someone who was as saying that the G1 would never receive updates (which is a non-point). I agree with you that that’s a bullshit expectation for old phones.

As far as new phones. Being sold with old software is a manufacturer/carrier problem. What phone you have should cause fragmentation. It’s what happens when you have choice. OS fragmentation should not prevent security updates.

What version of Android you’re running should affect what programs you can run. It happens on all platforms. But given that we’ve seen the latest Android run on the oldest phones, we need to accept the fact that it’s not the capabilities of the old ass phone that’s in question, it’s who is allowed to put out updates.

In an open source setting, Google needs to be the one putting out security updates, not leaving it up to other companies. That would solve 95% of the real fragmentation problems.

The “I bought the wrong shit so my API version update takes to long” argument is not valid. If you wanted the latest updates you should have bought a Nexus One. And if you didn’t know to buy a Nexus One or were on Verizon (like me), you didn’t have a choice.

For people outside of the US, where phones have to operate on multiple carriers so the device manufacturer rather than phone carrier puts out the updates, you’ll find much less fragmentation. Samsung put out the Froyo update for the International Version of the Galaxy S in November and people could just get it. I had to wait until May.

Since we are at the mercy of the carriers in this country, a lot of the fragmentation comments sound reasonable, but in other places where the carriers offer some freedom instead trying to make every last penny until people complain, they fall apart.

« Previous 1 2

Hubs

Apple

Android

Mobile

Business

Related Articles

Hubs

Apple

Android

Mobile

Business