A study conducted by the University of Ulm in Germany reveals some pretty disturbing facts about devices running Google’s Android. The results show that the Google’s mobile OS is vulnerable to cyber attacks, stealing digital credentials such as access to calendars and contacts and other sensitive data.
This flaw is said to have come from the improper implementation of ClientLogin, an Android authentication protocol, affecting versions 2.3.3 and earlier. The programming interface stores an authentication token till up to 14 days, allowing attackers to exploit them.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”
This Android security flaw is also affecting Twitter, Facebook and Google Calendar, and was detected by Profesor Dan Wallach of Rice University via a simple exercise he held with undergraduate students. These malicious attacks is possible on unsecured networks such as WI-Fi hotspots, and they were pretty easy to execute.
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
We very well know that while these privacy issues are alarming, they aren’t uncommon at all. Apple, for example, is facing privacy concerns over location data collection as well. A suit was filed by Lymaris M. Rivera Diaz of the Puerto Rico district court accusing Apple of “intentional interception of personally identifying information,” while a similar litigation’s already been filed by Californian Jonathan Lalo.
Moreover, we’ve seen Google wrestling with the Swiss Government as the body asks the search giant to blur the faces of people on its Street View Map. While Google successfully made 99 percent of the faces unrecognizable, the Swiss government still demands Google to manually blur the remaining 1 percent. Google answered with a retraction of the service, if forced to do so.
[...] Android, Apple Mobile Data Controversy Gets Worse A research conducted by the University of Ulm in Germany reveals some pretty disturbing facts about devices running Google’s Android. The results show that the Google’s OS is vulnerable to cyber attacks, stealing digital credentials such as access to calendars and contacts and other sensitive data. Continue reading → Android, Apple Mobile Data Controversy Gets Worse is a post from: SiliconANGLE … Read more on SiliconANGLE [...]
[...] more on SiliconANGLE Related PostsAndroid handsets ‘potentially’ vulnerable to data leaksRIM Recalls [...]
[...] Read more on SiliconANGLE [...]
[...] the University of Ulm in Germany have found that devices running Android version 2.3 and below are susceptible to a an impersonation attack made possible because of an impropriety implementation of the ClientLogin authentication [...]
[...] offers comes in response to a lot of market demand, driven by high profile issues such as all the concerns regarding how Android and iOS devices store users’ location data. Nevertheless, iOS as well as [...]
[...] may keep it from maintaining top billing amongst consumer preferences. Perhaps its all those sophisticated malware attacks taking its toll on Android [...]