May 17th, 2011

Of all the security exploits to have been uncovered in Android so far, this one might take the cake. It affects 99 percent of Android users and does by exploiting digital tokens stored on devices after authenticating password-protected services. According to The Register, the security breach is the result of a poorly executed ClientLogin protocol, a problem that wasn’t fixed until Android 2.3.4. This means if you aren’t on the latest version of Gingerbread or Honeycomb, you are at risk.

What happens is your handset stores a token known as authToken on your handset after authenticating a service such as Facebook or Twitter. The token is stored for 14 days, allowing users to re-access the service easily. But it is this authToken that can be easily exploited using a bit of old-fashioned deception. A data thief need only to set up an innocent looking, unencrypted wireless network, give it a name that would encourage you to connect and feel safe on said network (such as starbucks, attwifi, etc.), and then snatch up the authTokens attempting to connect to services over the network. Whoever has these authTokens can then gain access to your various accounts.

While Google has, as mentioned earlier, patched the exploit in the latest versions of Android, they have yet to respond to the report that Android versions 2.3.3 and earlier remain vulnerable. Your best bet for now is to set your phone to only manually connect to wireless networks, take a few precautions, and you should be fine.

[via BGR]