By 
Of all the security exploits to have been uncovered in Android so far, this one might take the cake. It affects 99 percent of Android users and does by exploiting digital tokens stored on devices after authenticating password-protected services. According to The Register, the security breach is the result of a poorly executed ClientLogin protocol, a problem that wasn’t fixed until Android 2.3.4. This means if you aren’t on the latest version of Gingerbread or Honeycomb, you are at risk.
What happens is your handset stores a token known as authToken on your handset after authenticating a service such as Facebook or Twitter. The token is stored for 14 days, allowing users to re-access the service easily. But it is this authToken that can be easily exploited using a bit of old-fashioned deception. A data thief need only to set up an innocent looking, unencrypted wireless network, give it a name that would encourage you to connect and feel safe on said network (such as starbucks, attwifi, etc.), and then snatch up the authTokens attempting to connect to services over the network. Whoever has these authTokens can then gain access to your various accounts.
While Google has, as mentioned earlier, patched the exploit in the latest versions of Android, they have yet to respond to the report that Android versions 2.3.3 and earlier remain vulnerable. Your best bet for now is to set your phone to only manually connect to wireless networks, take a few precautions, and you should be fine.
[via BGR]
When I first read about the dangers of unencrypted networks a long while ago, I immediately set my connections to manual. Sadly however, I don’t think it’s been publicized enough… enough…
Same here. I do not use unsecured Wifi connections that I’m not familiar with!
It doesn’t matter if you’re familiar with it. If you’re on a public wifi network (read: NOT even necessarily unencrypted), then anyone else who is on that public wifi network can trick your device into sending data through his machine (by ARP spoofing and masquerading as your default route).
Good thing i am on 2.3.4 :)
Nexus S FTW???
no doubt. . . the google experience devices are the way to go. now if google would just put out more than one at a time–at least two, one with qwerty and without.
And on all U.S. carriers at the same time. I have seen a lot of comments from Verizon users hoping that they will get the Nexus 3 first, if they do then I am going to Verizon.
That’s alot of work just to get to someones Facebook, twitter or Pandora account. Who even sees most if the unprotected wifi spots around them anyway?
Not saying I know a whole lot about Android phones, but wouldn’t this be relatively easy with a phone with built-in Wifi hotspot capabilities… and even more likely to be exploited on those phones where such capabilities are free (Nexus One and Optimus V, for example)?
… using something like “Shark for Root”, available for free in the Market.
Walk into a starbucks. turn on your Mobile Hotspot on your phone. I have a Samsung Galaxy S 4G and I can name the SSID anything I want.
Most Starbucks are now showing ATT as the hotspot, but name it StarbucksWifi and turn on Shark For Root… bam you are now sniffing everyone connecting to your phone. Max of 5 people, but you basically have just fooled them since Starbucks is free wifi.
Be cautious of connecting to free wifi unless you can confirm it’s the real deal.
Hey, this is fun. :-) Installed Shark for Root a little bit ago. Currently sniffing the packets of some hot chick at Panera. She’s got nice packets.
… using something like “Shark for Root”, available for free in the Market.
Good that I have a Nexus One then. Although I don’t think anyone in the Netherlands would be exploiting this….
right…….
Funny how this suddenly is an issue when people have been communicating like this (authentication tokens being sent unencrypted over http) from their computers since password protected web sites were invented. Not that I would mind if everyone switched over to ssl.
But aren’t unencrypted/Unsecured networks vulnerable to eavesdropping irrespective of the device?
By the way, 100% of all internet connected devices including PCs, phones (all variants), macs, Servers (windows, Unix & linux variants), cloud services are susceptible to serious attacks and data thefts… not just Android devices …
Eavesdropping on unencrypted/unsecured networks is easily achieved irrespective of the brand of the device.
With proper encryption (SSL being a good example of such) it is possible to securely communicate over an unsecured network.
The problem is there is rarely proper encryption through websites. They may use SSL for the login, but they aren’t encrypting the rest of the session or the cookies, hence you have extensions like firesheep making it easy to steal users credentials.
The more secure solution to using wifi is to tunnel your connection through a VPN over SSH, otherwise you really shouldn’t trust the connection.
Considering processor power available these days, all websites that you log into should use SSL.
Not everyone has the skills to VPN over SSH.
(When I use my mobile, I “tether” using nothing more than ConnectBot to SSH into my Ubuntu box at home (static IP address I’ve had for 15 years), and use SOCKS 5. All AT&T can see is an encrypted SSH connection. They don’t know whether I’m using a text app on the terminal, or maybe an app on the phone, tunneled by SOCKS 5, or whether it is my netbook.)
Briefly, can someone explain how to “set your phone to only manually connect to wireless networks”? Like a quick step-by-step in the settings. set your phone to only manually connect to wireless networks”? Like a quick step-by-step in the settings.
Settings > Wireless & network settings > WiFi settings > untick auto connect (or similar, may vary by device)
It auto connects to ones you’ve never connected to before?
Personally I don’t think so, but I haven’t used every different brand so I suppose it is possible, that’s where the setting would be. On my Atrix it will only auto connect to AT&T hotspots with that “auto connect” checkbox. I can’t remember what my old nexus did though.
All the phones I’ve tried it doesn’t! So turning of that option wont do anything except annoy you when your phones doesnt auto connect to your home router!
You make a valid point and it just goes to show how different phones have different settings; for me unchecking the auto connect only deals with the AT&T hotspots and has no effect on auto connecting to my known networks.
Just leave your Wi-Fi turned off unless you want to connect to a specific network. My EVO doesn’t auto-connect to anything Wi-Fi unless it’s turned on and then it asks me which network I want to connect to. Sounds pretty safe to me as long as I stay off open, unencrypted networks.
“Your best bet for now is to set your phone to only manually connect to wireless networks, take a few precautions”
How do you set your android phone to only manually connect to wireless networks you’ve never connected to before? (you cant)
What few precautions should I take?
The whole thing is a non issue, if you connect to unsecured wireless networks you’re asking for trouble anyway.
But yeah, the phrase I quoted, come on dude..
CyanogenMod nightly FTW
All 250,000 phones are protected. The last version chart from May 5th said that 4% of Android phones were on 2.3 and CM only makes up about 10% or less of that 4%.
So? I was talking about MY phone..
I know but us rooters are very vocal on Android sites so I try to make it clear that you don’t have to root your phone for it to be good. 99.5% people don’t root so I just let them know that they do have other options. I first rooted my G1 2 years ago and even I was surprised about CM’s numbers. I do love CM, I have installed it on multiple phones and told many of my friends that it is the only way to go if you want to root.
“99.5% people don’t root”
I’m not so sure about that, when the Superuser app has almost a million downloads in the Market.. and it’s bundled in most of the custom ROMs, so those don’t count!
Anyway, this “data vulnerability” isn’t really that much of a problem.
Let’s say there are 70,000,000 Android phones. 1% of that is 700,000, the Superuser app has 500,000 to 1,000,000 downloads. Also if you look on sites like Androidspin.com who else any numbers anywhere near CM. Most average people still think that there are millions of Android users that have rooted there phones. I am just saying that we tend to give the impression that rooting solves all of Android’s problems.
It’s incredible how much crap Android users have to deal with. It really is the “Windows” of mobile devices.
I’m probably never going to use another Android device after I replace my Nexus S in a year or so.
I understand your frustration.
But your Nexus S is always up-to-date and is the only device actually patched from this vulnerability. Had you mentioned you’re using another phone, and one that depends on the carrier to update, I would’ve been right with you.
But at least the Nexus series gets updated quickly when things like this are found…
Apple has its security issues and bugs too. (Recall that “flaw” last month where your location data was “accidentally” saved?) Most of the time, like Android, iOS is patched before it’s commonly known.
Umm maybe it gets updated first for a year. But after the new Nexus device comes out, it might be delayed seeing how long it took Google to release GB for Nexus One, even though they developed it on a Nexus One.
This current Android problem is about passwords and personal information. That’s a WAYYYY bigger problem then some anonymous location data.
Seems like a lot of hype really. Manual connection?? Not a chance. Name just one instance where personal data has been used maliciously because of this non-issue.
I’ve “hacked” my own facebook account from my phone, and posted a status update from a device that never had the password entered. It is a problem… for facebook you can change your security to https through the settings to avoid this.
How about this scam, which is documented and real:
“You logon to facebook and see a status update from one of your friends saying they have been robbed and are stuck in London. They’ve lost their credit cards, phone and cash. They’ve had to cancel their cards, but need someone to wire them some money so they can get by until the new cards arrive and/or to get home.
You know something doesn’t seem right, but not wanting to leave your friend stranded, you wire the money anyway…. Later you find out, your friend hasn’t even left the country. ”
This scam has happened a lot, and is one way to use your facebook and twitter account against you.
I think your example says more about the need for education about internet scams than anything else.
Yes, security and education go hand-in-hand. One should be aware of scams and systems shouldn’t make it easy to steal passwords so that scams like this can be instigated.
You asked how this “non-issue” could be used against you and I provided an example.
This is the same exploit used to hijack Facebook sessions. As long as you arent doing anything on an unsecured/unfamiliar network you’re going to be ok.
Common sense to the rescue…..
Turn off WiFi when you’re not connected to your own LAN. Turn it back on when and if you trust a network.
Not another one of these captain obvious vulnerabilities. If you are on an u trusted network……well …..there’s a reason they’re called intrusted.
Thankfully I have 2.3.4 via CM7
Another way I protected myself with never using Facebook or Twitter