Almost All Android Phones Leak Account Details

Android researchers have found a way to capture Google's ClientLogin authentication protocol on open WiFi networks and then use it to impersonate others on all of Google's services, not just Calendar and Contacts.

Knowing there are risks when using Android smartphones on open Wifi networks, researchers Bastian Könings, Jens Nickels, and Florian Schaub from Germany's University of Ulm wanted to see if they could launch an impersonation attack against all Google services. They discovered an attack similar to stealing session cookies of websites (or what's called Sidejacking) on Android phones versions 2.3.3 and earlier.

From their blog

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

It's ironic that the vulnerability affects all Android smartphone users who have not yet updated to Gingerbread 2.3.4 –ironic, because almost no Android phones have Gingerbread at this point. Carriers need to work out the means for Android users to update to the latest and greatest OS. As we trust our mobile devices more and more services, we should expect to apply security updates from time to time.

In a <a href="http://edition.cnn.com/2011/TECH/mobile/05/18/android.security/">CNN</a> article on this, Mocana's CEO Adrian Turner said "We don't think there's enough being invested proactively to address some of these threats. You want to avoid the oil spill in the first place."</a>