99% of Android phones vulnerable to account exploit

[nsane.forums]

Mobile security is quickly becoming a hot topic as iOS and other platforms came under fire for tracking users' location, although that was quickly patched by Apple. Now, reports from the Register state that 99% of Android phones are vulnerable to being exploited and exposing users account credentials.

The report states that there is a vulnerability because of "improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier." This vulnerability opens up accounts for as long as 14 days and could allow anyone who acquires the tokens to take control of your account. The Register states:

After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

Even more damaging is how easily this exploit can be used in the real world. By setting up a WiFi network, a users tokens could be acquired and the accounts compromised. The report states:

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (

evil twin

) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing

This security exploit should raise concern for end users. It is recommended that, on Android, to always use encrypted WiFi to maintain data security. Another issue is that for Google to patch the exploit, they have to push a patch out to the device. The problem arises that carriers have been slow to roll out updates for devices, which means that this vulnerability could remain in the wild for some time.

View: Original Article

[nsane.forums]

Researchers Discover Android Data Leaks: What You Need to Know

A security flaw in nearly all Android phones can leak contact, calendar and photo data to nearby hackers, researchers said. But is this a serious threat to Android security, or just an overblown bit of fear-mongering?

Let's walk through what we know to find out:

What's the issue?

Several Google Android apps use a method called ClientLogin to authorize the transfer of sensitive data to Web-based services. ClientLogin uses authorization tokens to pass the user's login and password through a secure https connection to a Web service, such as Google Calendar or your synced contacts.

The problem, according to researchers at Ulm University's Institute of Media Formatics, occurs once the token is validated and returned. It can then be used for up to two weeks in requests through insecure http connections, making it vulnerable to theft from a hacker over a Wi-Fi network.

What are the dangers?

A hacker could use the stolen token to gain access to calendars, contacts or Picasa images. The intruder could then steal or modify information within these services. Think corporate espionage or personal stalking.

Who's affected?

The issue applies to all Android versions prior to 2.3.4 for contacts and calendars, and including 2.3.4 for Picasa Web alsbums. Researchers say it applies to 99.7 percent of Android phones, which isn't accurate because the data they use only counts users who have recently accessed the Android Market. Still, it's safe to say that the vast majority of Android phones are affected.

What's the likelihood of being attacked?

There's the rub. The attack requires the user and the hacker to be on the same Wi-Fi network. The researchers describe the possibility of evil twin networks, which spoof popular Wi-Fi access points like those at Starbucks, but the more likely threat comes from ordinary insecure Wi-Fi.

Even then, we're talking about a hacker who's sitting in close proximity with the sole intent of stealing data. Like the Firesheep mass-hacking tool that caused a stir last year, this issue is scary to think about, but getting hit with an attack is not very likely for average users.

What can users do?

The best thing to do is to stick with secure Wi-Fi networks. In Android settings, you can also turn off automatic synchronization when connecting to open Wi-FI. Updating to Android 2.3.4 would solve most of the problems -- although Picasa information is still vulnerable -- but that's entirely in the hands of wireless carriers and phone makers.

Should Google do something?

The researchers have a several for Google, including a requirement that all apps and sync services switch to https, as Google Calendar and Contacts have done in Android 2.3.4. They also recommend that Google switch to a more secure authorization service such as OAuth, limit the lifetime of authentication tokens, reject ClientLogin requests for http connections and create a way to limit automatic Wi-Fi connections to protected networks.

View: Original Article

[nsane.forums]

How to protect your Android on public Wi-Fi

ConnectBot creates a secure tunnel using SSH to protect your data while it's in transit.

Android phones and tablets running version 2.3.3 and earlier suffer from a calendar and contact information vulnerability on public Wi-Fi networks, according to a new report. However, there are some concrete steps you can to protect yourself.

Here's how it works. The vulnerability is in the ClientLogin Protocol API, which streamlines how the Google app talks to Google's servers. Applications request access by sending an account name and password via secure connection, and the access is valid for up to two weeks. If the authentication is sent over unencrypted HTTP, an attacker could use network sniffing software to steal it over a legitimate public network, or spoof the network entirely using a commonly-named public network, such as "airport" or "library." While this won't work in Android 2.3.4 or above, including Honeycomb 3.0, that only covers 1 percent of in-use devices.

Of course, the safest solution is to avoid using public, unencrypted Wi-Fi networks by switching to mobile 3G and 4G networks whenever possible. That's not always an option, especially for Wi-Fi-only tablet owners or those on tight data plans.

One legitimate if painstaking option is to disable syncing for the affected Google apps when connected via public Wi-Fi. The security risk affects apps that connect to the cloud by using a protocol called authToken, not HTTPS. The apps tested by the researchers who wrote the report revealing the vulnerability included Contacts, Calendar, and Picasa. Gmail is not vulnerable because it uses HTTPS.

However, this a cumbersome fix, as it requires going into each app before you connect and manually disable syncing during the time you're on the particular public Wi-Fi. A much easier solution is to use an app. One of the best apps for secure communication is SSH Tunnel (download), which was designed for Android users stuck behind the Great Firewall of China. SSH Tunnel has some limitations: You must root your phone to use it, and the makers strongly advise people not in China look elsewhere for a secure tunneling app.

A better solution appears to be ConnectBot (download), which even offers a version from its Web site that supports pre-Cupcake versions of Android.

Users of third-party custom ROMs like CyanogenMod ought to check what security enhancements their installed ROM comes with. CyanogenMod, for example, has VPN support built-in and turned off. Cyanogen users can access it from the Settings menu, tap Wireless and Network Settings, then tap VPN Settings.

Given the fragmentation on Android devices, this is a severe security risk that is mitigated only by its limitation to specific apps and public networks. The ideal solution is for Google to release app fixes or Android updates as soon as possible, although the company has given no indication of what steps it plans to take, or when. As always when using public Wi-Fi networks, proceed with caution.

ConnectBot creates a secure tunnel using SSH to protect your data while it's in transit.

View: Original Article