A study conducted by the University of Ulm in Germany reveals some pretty disturbing facts about devices running Google’s Android. The results show that the Google’s mobile OS is vulnerable to cyber attacks, stealing digital credentials such as access to calendars and contacts and other sensitive data.
This flaw is said to have come from the improper implementation of ClientLogin, an Android authentication protocol, affecting versions 2.3.3 and earlier. The programming interface stores an authentication token till up to 14 days, allowing attackers to exploit them.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”
This Android security flaw is also affecting Twitter, Facebook and Google Calendar, and was detected by Profesor Dan Wallach of Rice University via a simple exercise he held with undergraduate students. These malicious attacks is possible on unsecured networks such as WI-Fi hotspots, and they were pretty easy to execute.
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
We very well know that while these privacy issues are alarming, they aren’t uncommon at all. Apple, for example, is facing privacy concerns over location data collection as well. A suit was filed by Lymaris M. Rivera Diaz of the Puerto Rico district court accusing Apple of “intentional interception of personally identifying information,” while a similar litigation’s already been filed by Californian Jonathan Lalo.
Moreover, we’ve seen Google wrestling with the Swiss Government as the body asks the search giant to blur the faces of people on its Street View Map. While Google successfully made 99 percent of the faces unrecognizable, the Swiss government still demands Google to manually blur the remaining 1 percent. Google answered with a retraction of the service, if forced to do so.