In the past, we have discussed Android's overall security problems and Marketplace vulnerabilities, but this week we have encountered a new set of problems, thanks to the researchers at Ulm University.
Here is the problem: many Google apps, such as Calendar and Contacts, sync with the Google servers regularly when they have access to the Internet. They use an authentication service known as ClientLogin, which creates an authentication token on the device which is good for up to 14 days. This allows the device to sync data within that time period without having to reauthenticate. This is a fairly common practice, similar to checking "Remember me" on services like Facebook. The problem here is that the token is transmitted in clear text (no encryption) to Google's servers.
How does this affect devices? Hit the break to find out.
Every time your phone tries to sync contacts or your calendar, it sends this key, which is used to identify you, in a human readable and usable way. All an adversary would have to do is have access to a WiFi hotspot that a phone connects to and they now have access to your account for up to 14 days. Once they can authenticate into your calendar, they can get into your email and the whole of your Google account. The researchers explained it best,
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.
Now, security exploits like this exist all the time, the important part is that Google has fixed it in newer versions of Android. So, how many Android users does this affect? Only about 99% of them. So, not the entire population, just most. My guess is that the 1% are the developers themselves at Google.
So, why is it that a fix is available but no one has it? It is all about the fragmentation of the community. Google has had no luck getting service providers and manufacturers to keep their devices up to date. By allowing these groups into the distribution process it created a major problem for consumers. Can you imagine if Microsoft released a patch for Windows and you had to wait for HP to approve it before you could get it on your laptop? Well, that is exactly what Google has allowed to happen on their Android-powered phones, computers and tablets. Every manufacturer can decide whether they want to provide the update for your device or not. Brilliant.
In summation, two really bad decisions on Google's part have finally met in the middle to make it almost impossible for you to prevent someone from taking over your account. The best piece of advice is to turn off auto-connect to WiFi networks and only allow your phone to sync over secure networks. At least it's a start.