Recent Posts

Tuesday, May 17, 2011

Android Security Flaw Leaves User Data Wide Open


By: Kareem Ali

A report from information week today, brings to light issues with security on Android devices that could lead to hackers gaining access to your personal information when you log into unsecure Wi-Fi spots.

The flaw is in the ClientLogin authentication protocol that Android devices use when they log into an open WiFi network. The tool authenticates a users account details by passing what’s know as an authToken, the authToken is sent via HTTPS which is pretty secure, the problem is the authToken that’s returned by the app comes in through regular HTTP (no encryption), which means that a cybercriminal or hacker could gain access to personal data by sniffing out the authToken and using it to access users personal data.

According to the report the data that’s left unencrypted is calendar information, contact data, and private web albums. So if someone was to hack your authToken from an unsafe WiFi connection they would be able to make any modifications to that data they choose. Including deleting and viewing.

The affected versions of Android include 2.1 up to 3.0 and everything in between. Anything older than 2.3.3 is wide open (meaning all your authTokens are being returned un-encrypted), 2.3.4 fixes the problem with calendar and contact authTokens, but still leaves your pictures out in the open.

The issue applies to all third and first-party apps on Android that use the ClientLogin protocol without HTTPS, not just Gmail, Picasa, and Google Calendar.

This is just adding more fire to the recent phone-security-paranoia flame that’s been burning since people found out their phones track them.

I personally don’t like the government being all up in my data at all, but I understand I have to give up a certain amount of privacy in this new internet/social/super phone era that we live in if I want to enjoy all the benefits of social networks, email, and my cell phone. Otherwise developers are limited in the things they can do. Foursquare wouldn’t exist if a phone couldn’t find out where you are in order to check in, Facebook wouldn’t work if my friends couldn’t find me and I couldn’t find them, etc..  That does not mean however, that I’m willing to give packet-sniffers my personal contacts.

There is a very easy way to avoid all this together just don’t sign up for Facebook or send emails or have a cellphone. If you do have a presence on the  internet and a mobile phone, and you’re a little paranoid about your data being secure here are some quick tips;

  • If you want to avoid this whole security flaw in Android there is a simple setting called airplane mode which has been on phones for quite some time, go to your wireless settings turn it on and all wireless connections will be killed. That will prevent anyone from taking your authTokens or doing any other wireless sniffing. You could also just not log into ‘open’ WiFi networks.


  • Study your privacy settings on whatever social network your on, learn how to block users and prevent people who aren't ‘connected’ with you directly from seeing or having access to any of your posts, tweets, check-ins or whatever it is you kids do on your internets nowadays.


  • Finally if your using email, I would suggest Gmail, not because it’s my favorite or the most popular, but mainly because it’s the most secure. Unless they’ve changes how the do things Gmail works by sending an encryption key to the machine your emailing so that the message can be sent through their servers encrypted and un-viewable to anyone except those with the encryption key. Once it arrives at the target email address, it’s unencrypted and made viewable. Although no one but you and the intended recipient have the key’s for the encryption there is still the matter of Google having your login info which of course means that they can go through any emails they want at any time or if given enough money by the government or investigators. But there is really now way of avoiding this beyond setting up your own email server for you and your friends separate from any third parties.

I expect that Google will be fixing this for all apps soon and force secure packet transfers for returning authTokens, until they do, I would really suggest not connecting to any open public WiFI networks (which you really shouldn’t be doing on any OS on any device anyway).

Nothing is ever secure on the internet and privacy is a joke, there was a time on the web when people realized they didn’t have to give all their real information to anyone, I remember when Facebook first came around and expected me to put ‘proper’ info on there, I was shocked, I didn’t think anyone on the internet would be stupid enough to hand over their real name and other information to a website that didn’t sell anything. At that time I understood that some places like eBay might need all that so they could ship you things and what-have-you but a fake MySpace? Why would I give them any legit information?

At any rate it seems that now, people are totally willing to put not just their own information but their friends, family and co-workers information as well. It truly is a weird and wacky world, but it’s my world and I love it.

Related Stuffs:

No comments:

Post a Comment