Researchers at multiple universities are warning that almost all smartphones running Google’s Android software could be allowing third parties access to digital tokens that could allow access to services such as Google Calendar and Contacts.
The issue, which affects all devices running versions of Android prior to 2.3.3 is related to handling of the authentication protocol ClientLogin. According to researchers at the German University of Ulm the, once a user enters their credentials, the programming interface retrieves its token in clear text. With the token valid for 14 days, a window appears where attackers could use their new found access however they like.
The whole process is relatively easy to exploit too, according to the researchers.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,”
“The short answer is: Yes, it is possible, and it is quite easy to do so.”
This comes after a professor at Rice University demonstrated a similar flaw affecting Facebook, Twitter and once again Google Calendar. This time however the hack could only be carried out on an unsecured Wi-Fi network. Google has since patched the hole in Android 2.3.4 but failed to plug the whole when it comes to Picasa which allows web albums to potentially transmit sensitive data in the clear. Google is working on a fix.
The potential security holes are exacerbated by Android’s fragmentation issues, which cause phones to remain on older software long after patches have been released. With carriers and device manufacturers insisting on meddling with Google’s operating system updates can take months to get past their own software engineers. The result is a massive 99% of Android devices still being wide open to hacks.
Google recently said it will be working more closely with carriers to try to reduce the time it takes for updates to be rolled out fully.