Researchers have discovered that most Android devices have holes through which personal data can be snagged by hackers.
(click image for larger view)
Slideshow: Motorola Xoom Teardown: Inside The New Android Tablet
The weak link when it comes to security on Android devices, say University of Ulm researchers, is the ClientLogin authentication protocol when used on open Wi-Fi networks. This tool is used to authenticate user account details with the Android Market and Google services. It passes the authToken via secured https connections. The problem is the returned authToken, which can remain valid for up to two weeks. When used on insecure http networks, hackers can sniff out the authToken and then use it to access personal data.
The personal data that's left hanging in the breeze is calendar information, contact data, and private Web albums. The researchers note that this means ne'er-do-wells can "view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."
Who does this affect? The researchers tested the authentication protocol across Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 across a wide range of handsets, including the HTC Nexus One, HTC Desire, HTC Incredible S, and the Motorola Xoom. Any device running an Android version 2.3.3 and older is more or less wide open. This means 99.7% of all Android phones, according to the most recent statistics from Google (very few devices have been updated to Android 2.3.x yet).
The 2.3.4 system update to Android adds https support for calendar and contacts authentication requests, but leaves Picasa requests still open to attack.
The vulnerability in question applies not just to Google-developed Android applications, but third-party applications as well. Essentially, any app that uses Google's services and the ClientLogin protocol over http rather than https is fair game.
Obviously, leaving this type of data unsecured could be problematic for anyone, but even more so for enterprise users of Android devices. Fortunately, there are some things that can be done to help prevent data theft.
First and foremost, don't use open Wi-Fi networks at all. Use cellular data and, if Wi-Fi is necessary, connect only to protected access points. End-users also can switch off the automatic syncing tools (when using Wi-Fi) in the settings menu. These are relatively easy changes that will provide at least a modicum of protection before a more permanent fix is developers.
As for a permanent fix, updating devices to Android version 2.3.4 is necessary, but that won't be an easy step to take. Generally, even minor system updates are only available from wireless network operators and handset vendors. Given the absolute lack of Android 2.3 on most devices, the probability that you'll be able to update your workforce to Android 2.3.4 in the near future is slim to none.
Beyond these steps, it is up to Google and Android developers to solve this security problem.
In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.