Android sales are at an all time high, and there appears to be no stopping Google’s mobile-OS juggernaut. But, how safe and secure is your personal data and credentials? According to a study at the University of Ulm in Germany, the answer to that question is rather shocking. The study reports that 99% of Android users are at risk of leaking digital credentials when they visit certain websites or connect to unsecured Wi-Fi networks. This is caused by the improper implementation of ClientLogin — an authentication protocol. This is prevalent in Android 2.3.3 and earlier. Every time an Android user logs onto a service such as Twitter or Facebook, authToken data is stored for upto 2 weeks, and this data can be accessed by those who know to go about it. According to the researchers:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks…With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
Android 2.3.4 has had this lapse in security patched up, however with OEM’s struggling to roll out updates in a timely fashion, you might want to stay clear of unsecured networks and only use ClientLogin on https websites in the mean time.
UPDATE: Hours after this post was published, Google acknowledged the security issue and assured users that a fix would be available within a day. The best part, the changes are made by Google on the server-side level and will require no tedious update or changes made to your Android device on your part. Trust Google to hit the ground running that fast. Kudos.