Android User Data Easily Stolen - InformationWeek
Mobile // Mobile Devices
10:06 AM

Android User Data Easily Stolen

Researchers have discovered that most Android devices have holes through which personal data can be snagged by hackers.

Motorola Xoom Teardown: Inside The New Android Tablet
(click image for larger view)
Slideshow: Motorola Xoom Teardown: Inside The New Android Tablet
The weak link when it comes to security on Android devices, say University of Ulm researchers, is the ClientLogin authentication protocol when used on open Wi-Fi networks. This tool is used to authenticate user account details with the Android Market and Google services. It passes the authToken via secured https connections. The problem is the returned authToken, which can remain valid for up to two weeks. When used on insecure http networks, hackers can sniff out the authToken and then use it to access personal data.

The personal data that's left hanging in the breeze is calendar information, contact data, and private Web albums. The researchers note that this means ne'er-do-wells can "view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

Who does this affect? The researchers tested the authentication protocol across Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 across a wide range of handsets, including the HTC Nexus One, HTC Desire, HTC Incredible S, and the Motorola Xoom. Any device running an Android version 2.3.3 and older is more or less wide open. This means 99.7% of all Android phones, according to the most recent statistics from Google (very few devices have been updated to Android 2.3.x yet).

The 2.3.4 system update to Android adds https support for calendar and contacts authentication requests, but leaves Picasa requests still open to attack.

The vulnerability in question applies not just to Google-developed Android applications, but third-party applications as well. Essentially, any app that uses Google's services and the ClientLogin protocol over http rather than https is fair game.

Obviously, leaving this type of data unsecured could be problematic for anyone, but even more so for enterprise users of Android devices. Fortunately, there are some things that can be done to help prevent data theft.

First and foremost, don't use open Wi-Fi networks at all. Use cellular data and, if Wi-Fi is necessary, connect only to protected access points. End-users also can switch off the automatic syncing tools (when using Wi-Fi) in the settings menu. These are relatively easy changes that will provide at least a modicum of protection before a more permanent fix is developers.

As for a permanent fix, updating devices to Android version 2.3.4 is necessary, but that won't be an easy step to take. Generally, even minor system updates are only available from wireless network operators and handset vendors. Given the absolute lack of Android 2.3 on most devices, the probability that you'll be able to update your workforce to Android 2.3.4 in the near future is slim to none.

Beyond these steps, it is up to Google and Android developers to solve this security problem.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll