There are reports coming out today about Google Android and how approximately 99.7% of its users are potentially open to compromise. This news cycle started by the Ulm University publishing some information on the 13th of May showing some results. I'm sure this story will develop and CTAC may follow-up to my blog with more details; however, let us focus on what journalists are reporting as fact:
The issue at hand is the vulnerable OS versions connect into Calendar Sync, Contacts Sync and Picasa Sync in the clear plaintext. The new version of Android connects to these services over WiFi via encryption, or HTTPS. The exclusion is Picasa Sync which may still use plaintext connection. A chart provided by Ulm University is shown for convenience below:
|Android version||Calendar Sync||
|Picasa Sync (Gallery)|
What exactly is the issue, now that we know how to potentially protect ourselves? Google uses a protocol called ClientLogin for authentication into applications. Unfortunately the implementation of ClientLogin that sends back a token called authToken may be in the clear plaintext. And it is during a public open WiFi that this authToken may be swiped by an attacker, and then used to impersonate you.
What is the feasibility of this occuring? Lots of cybercrime occurs remotely. Sure there is WiFi "wardialing"; however, the chances I think of a regular user coming under attack are probably not that high. Being paranoid, I still recommend upgrading your Android OS and stay away from Public WiFi networks. Be mindful of where you are and what your systems connect into.
UPDATE 8:23 AM on 18 May Pacific Daylight Time
Kudos to folks reporting in that the ability to upgrade one's Android operating system is in the hands of the provider.
UPDATE 11:19 AM on 18 May PDT
According to a PC Magazine Report, Google indicated it will be rolling out a fix over the next few days that does not require user intervention.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson told PCMag. "This fix requires no action from users and will roll out globally over the next few days."
Author ESET Research, We Live Security