This could be a shocking news to all the Android users all over the world. A whopping 99.7 % of Android smartphones are leaking log in data for Google services.This article is written by Adrian Kingsley Hughes for Zdnet
The problem is in the way that applications which deal with Google services request authentication tokens. These tokens are handy in that they eliminate the need for the user to login to the service, but as the researcher discovered these tokens are sometimes sent in plaintext form over wireless networks. This means that anyone who happened to be eavesdropping on the WiFi network could grab these tokens.
What’s worse is that tokens are not specific to the handset, which means that a token destined for one handset could be used on another.
The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing.
To make matters worse, tokens are valid for a long period of time (14 days for Calendar tokens), which means that someone grabbing your token could have two weeks worth of access to your data.
Here is a list of few solutions for the Android users
Upgrade your handset to Android which offers HTTPS for Google Calender and Contacts sync. However, you may have to wait weeks or months for this update from your carrier, or worse still you may never see it (Like Verizon customers, who are stuck on Android 2.2.2 despite the fact that it contains multiple known vulnerabilities). -
NOTE:
This update still leaves Picassa Sync vulnerable.
Switch off automatic sync when using open WiFi.
Better still, avoid using affected apps on open WiFi connections.
Seems like Android and Google together aren’t doing a good job of protecting user’s data.
No comments:
Post a Comment