Filtered By: Scitech
SciTech

Security hole threatens 99% of Android phones


A security vulnerability may allow unauthorized parties to snoop in the Google Calendar and Contacts information of up to 99 percent of Android smartphones, security firm Sophos said. Sophos' Graham Cluley said that researchers at the University of Ulm found the Calendar and Contacts apps transmit information via HTTP and merely get an authentication token (AuthToken) from Google. "That means that there's the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated," Sophos said in a blog post. Citing a paper by researchers Bastian Könings, Jens Nickels, and Florian Schaub, Sophos said that this applies to Google's ClientLogin Protocol in Android 2.3.3 and earlier. He noted that as AuthTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data - such as one's web-based calendar. "Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset," he said. Cluley said that this scenario is a real problem if one uses an unencrypted WiFi hotspot such as those commonly available in hotel lobbies, airports or at the local coffee shop. He said that while Google may have fixed the problem in Android 2.3.4, "(just) how many people are still running older versions of the Android OS?" Cluley said that approximately 99 percent of Android users are vulnerable, as they have not updated to at least version 2.3.4 (codenamed "Gingerbread"). "Unfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air," he said. Cluley said that while Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users due to the wide range of Android devices out there. However, he said Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future. Upgrade to latest version, avoid open WiFi networks Cluley recommended that Android smartphone users upgrade to the latest version of Android if at all possible. "Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you're worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections," he said. "Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped upon," he added. — TJD, GMA News

LOADING CONTENT