Google has been rolling out a server-side patch for the ClientLogin authentication protocol vulnerability that affects 99.7% of Android smartphones.
"We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," said a Google spokesperson via email.
Google's fix comes in response to a
warning, published earlier this month by researchers at the University of Ulm in Germany, that Android devices could be exploited in a sidejacking-like attack. Just as website session cookies can be stolen (sidejacked), allowing attackers to impersonate a user, attackers could sniff data being sent to and from Android smartphones that are connected to unsecured Wi-Fi networks--by using a tool such as Wireshark--and capture tokens for any Google service that uses the ClientLogin authentication protocol. Applications that use this protocol include Google Calendar, Contacts, and Picasa, as well as third-party applications for Facebook and Twitter.
Android smartphone users running the latest OS, 2.3.4, were already protected against the vulnerability. But 99.7% of Android users are still on older operating systems.
Accordingly, Google's solution has been a server-side fix that forces Android devices to use HTTPS--to keep data encrypted--when syncing with the Google Contacts or Calendar, so that authentication credentials can't be intercepted. "The great news is that it doesn't require a software update on the Android devices themselves--meaning the fix is automatic and worldwide. Effectively this is a silent fix," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
No attacks have been seen that exploit the vulnerability, and a fix is still in the works for Picasa. For now, Picasa users can mitigate the vulnerability by avoiding unsecured Wi-Fi networks, which would prevent their authentication credentials from being stolen.
Security-wise, Google's server-side patch is a crucial move because most cell phone carriers rarely push patches or OS updates to their customers. Because of that, some industry watchers had worried that Google would have difficulty securing older devices. For now, it's dodged that bullet, but in the future, major flaws could still pose a problem. "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates," said Cluley.
Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?