Mobile
News
5/25/2011
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Google Patches Sidejacking Vulnerability

The server-side patch fixes an authentication bug that affects 99.7% of Android users and their access to Calendar and Contacts.

12 Essential Android Apps For SMBs
Slideshow: 12 Essential AndroidApps For SMBs
(click for larger image and for full slideshow)
Google has been rolling out a server-side patch for the ClientLogin authentication protocol vulnerability that affects 99.7% of Android smartphones.

"We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," said a Google spokesperson via email.

Google's fix comes in response to a warning, published earlier this month by researchers at the University of Ulm in Germany, that Android devices could be exploited in a sidejacking-like attack. Just as website session cookies can be stolen (sidejacked), allowing attackers to impersonate a user, attackers could sniff data being sent to and from Android smartphones that are connected to unsecured Wi-Fi networks--by using a tool such as Wireshark--and capture tokens for any Google service that uses the ClientLogin authentication protocol. Applications that use this protocol include Google Calendar, Contacts, and Picasa, as well as third-party applications for Facebook and Twitter.

Android smartphone users running the latest OS, 2.3.4, were already protected against the vulnerability. But 99.7% of Android users are still on older operating systems.

Accordingly, Google's solution has been a server-side fix that forces Android devices to use HTTPS--to keep data encrypted--when syncing with the Google Contacts or Calendar, so that authentication credentials can't be intercepted. "The great news is that it doesn't require a software update on the Android devices themselves--meaning the fix is automatic and worldwide. Effectively this is a silent fix," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

No attacks have been seen that exploit the vulnerability, and a fix is still in the works for Picasa. For now, Picasa users can mitigate the vulnerability by avoiding unsecured Wi-Fi networks, which would prevent their authentication credentials from being stolen.

Security-wise, Google's server-side patch is a crucial move because most cell phone carriers rarely push patches or OS updates to their customers. Because of that, some industry watchers had worried that Google would have difficulty securing older devices. For now, it's dodged that bullet, but in the future, major flaws could still pose a problem. "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates," said Cluley.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.