Android sales are at an all time high, and there appears to be no stopping Google’s mobile-OS juggernaut. But, how safe and secure is your personal data and credentials? According to a study at the University of Ulm in Germany, the answer to that question is rather shocking. The study reports that 99% of Android users are at risk of leaking digital credentials when they visit certain websites or connect to unsecured Wi-Fi networks. This is caused by the improper implementation of ClientLogin — an authentication protocol. This is prevalent in Android 2.3.3 and earlier. Every time an Android user logs onto a service such as Twitter or Facebook, authToken data is stored for upto 2 weeks, and this data can be accessed by those who know to go about it. According to the researchers:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks…With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
Android 2.3.4 has had this lapse in security patched up, however with OEM’s struggling to roll out updates in a timely fashion, you might want to stay clear of unsecured networks and only use ClientLogin on https websites in the mean time.
UPDATE: Hours after this post was published, Google acknowledged the security issue and assured users that a fix would be available within a day. The best part, the changes are made by Google on the server-side level and will require no tedious update or changes made to your Android device on your part. Trust Google to hit the ground running that fast. Kudos.
Google Announced earlier today that a new iteration of the Nexus S, which was the first device running Gingerbread (aka Android 2.3), called the Nexus S 4G will soon be available on Sprint. Apart from the usual Nexus S config (see here,minus the Radios, as it’s CDMA), it features a Wimax Radio (hence the 4G) to run on the Sprint Wimax network similar to the Evo 4G and the Epic 4G. But that’s not the best part. This is the first phone to completely integrate Google Voice! Well done Google (and Sprint of course, for letting them do that I guess).
Head over to http://www.sprint.com/nexus (which isn’t opening up btw, but you get redirected there from the Nexus S site).
Here’s the post from the official Google Mobile Blog:
“Introducing Nexus S 4G for Sprint
Monday, March 21, 2011 | 5:00 AM
[ad#ga-cbox-right]Recently, we introduced Nexus S from Google, the first phone to run Android 2.3, Gingerbread. In addition to the UMTS-capable Nexus S, today we’re introducing Nexus S 4G from Google, available for Sprint. Nexus S 4G is part of the Nexus line of devices which provide a pure Google experience and run the latest and greatest Android releases and Google mobile apps.
We co-developed Nexus S 4G with Samsung to tightly integrate hardware and software and highlight the advancements of Gingerbread. Nexus S 4G takes advantage of Sprint’s high-speed 4G data network. It features a 4” Contour Display designed to fit comfortably in the palm of your hand and along the side of your face. It also features a 1GHz Hummingbird processor, front and rear facing cameras, 16GB of internal memory, and NFC (near field communication) hardware that lets you read information from everyday objects that have NFC tags.
In addition, today we’re excited to announce that Sprint customers will soon be able to take advantage of the full set of Google Voice features without changing or porting their number.
You can find more Nexus S information and videos at google.com/nexus or follow @googlenexus on Twitter for the latest updates. Nexus S 4G can be purchased this spring online and in-store from Sprint retailers and Best Buy and Best Buy Mobile stores in the U.S.
Posted by Andy Rubin, VP of Engineering”