Android’s Anomaly?

There are reports coming out today about Google Android and how approximately 99.7% of its users are potentially open to compromise.  This news cycle started by the Ulm University publishing some information on the 13th of May showing some results.  I'm sure this story will develop and CTAC may follow-up to my blog with more details; however, let us focus on what journalists are reporting as fact:

  1. Upgrade to Android 2.3.4 or 3.0.
  2. Versions 2.3.3 and prior are vulnerable.
  3. Your Android and an attacker must both be physically logged into the same public unencrypted WiFi connection.

The issue at hand is the vulnerable OS versions connect into Calendar Sync, Contacts Sync and Picasa Sync in the clear plaintext.  The new version of Android connects to these services over WiFi via encryption, or HTTPS.  The exclusion is Picasa Sync which may still use plaintext connection.  A chart provided by Ulm University is shown for convenience below:

 

Android version Calendar Sync
Contacts Sync
Picasa Sync (Gallery)
3.0 yes yes ?
2.3.4 yes yes no
2.3.3 no no no
2.2.1 no no n/a
2.2 no no n/a
2.1 no no n/a

 

What exactly is the issue, now that we know how to potentially protect ourselves?  Google uses a protocol called ClientLogin for authentication into applications.  Unfortunately the implementation of ClientLogin that sends back a token called authToken may be in the clear plaintext.  And it is during a public open WiFi that this authToken may be swiped by an attacker, and then used to impersonate you.

What is the feasibility of this occuring?  Lots of cybercrime occurs remotely.  Sure there is WiFi "wardialing"; however, the chances I think of a regular user coming under attack are probably not that high.  Being paranoid, I still recommend upgrading your Android OS and stay away from Public WiFi networks.  Be mindful of where you are and what your systems connect into.

 

UPDATE 8:23 AM on 18 May Pacific Daylight Time

Kudos to folks reporting in that the ability to upgrade one's Android operating system is in the hands of the provider.

UPDATE 11:19 AM on 18 May PDT

According to a PC Magazine Report, Google indicated it will be rolling out a fix over the next few days that does not require user intervention.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson told PCMag. "This fix requires no action from users and will roll out globally over the next few days."


Portions of this page (Google Android Image) are reproduced from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.

Author ESET Research, ESET

  • Leo Davidson

    I still recommend upgrading your Android OS

    The problem is, it's not up to end-users when they can upgrade Android; it's up to the phone manufacturers and (often) the mobile networks/carriers.
    That 99.7% of users on an older version of Android probably have no choice in the matter, other than to buy one of the few newer handsets that 2.3.4 has been released for. (Even many new handsets are still being released with 2.2, which is ridiculous.)
    Android is currently my phone platform of choice, but this aspect of it is awful. Complex devices which hold so much personal data and credentials to access your entire life should not be left without security updates the way they are.

  • Paul Laudanski

    Thank you Leo for contributing and helping folks to better understand this.

  • Chris

    Unfortunately, we cannot upgrade Andorid OS ourselves without rooting. I have Verizon Android HTC Incredible phone, Verizon takes too much time to update, I wish it was in Google's hands so they can send us the update quickly. In 1 year, it took them about six months to go from 2.1 to 2.2 and now I am not sure when I will get the next update from Verizon.

  • Alan

    The only way Android manufacturers will release the updates is if the phone costs over $300, and you’re in an expensive plan

  • Android Applications Development

    Android OS is in a big problem and this is basically with Android 2.3.3 that password gets hacked.The only solution to this is stop using public Wi-FI — coffee shops, book stores, etc to prevent this hacking.

     

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.