Android User Data Easily Stolen - InformationWeek
Mobile // Mobile Devices
10:06 AM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Android User Data Easily Stolen

Researchers have discovered that most Android devices have holes through which personal data can be snagged by hackers.

Motorola Xoom Teardown: Inside The New Android Tablet
(click image for larger view)
Slideshow: Motorola Xoom Teardown: Inside The New Android Tablet
The weak link when it comes to security on Android devices, say University of Ulm researchers, is the ClientLogin authentication protocol when used on open Wi-Fi networks. This tool is used to authenticate user account details with the Android Market and Google services. It passes the authToken via secured https connections. The problem is the returned authToken, which can remain valid for up to two weeks. When used on insecure http networks, hackers can sniff out the authToken and then use it to access personal data.

The personal data that's left hanging in the breeze is calendar information, contact data, and private Web albums. The researchers note that this means ne'er-do-wells can "view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

Who does this affect? The researchers tested the authentication protocol across Android versions 2.1, 2.2, 2.2.1, 2.3.3, 2.3.4, and 3.0 across a wide range of handsets, including the HTC Nexus One, HTC Desire, HTC Incredible S, and the Motorola Xoom. Any device running an Android version 2.3.3 and older is more or less wide open. This means 99.7% of all Android phones, according to the most recent statistics from Google (very few devices have been updated to Android 2.3.x yet).

The 2.3.4 system update to Android adds https support for calendar and contacts authentication requests, but leaves Picasa requests still open to attack.

The vulnerability in question applies not just to Google-developed Android applications, but third-party applications as well. Essentially, any app that uses Google's services and the ClientLogin protocol over http rather than https is fair game.

Obviously, leaving this type of data unsecured could be problematic for anyone, but even more so for enterprise users of Android devices. Fortunately, there are some things that can be done to help prevent data theft.

First and foremost, don't use open Wi-Fi networks at all. Use cellular data and, if Wi-Fi is necessary, connect only to protected access points. End-users also can switch off the automatic syncing tools (when using Wi-Fi) in the settings menu. These are relatively easy changes that will provide at least a modicum of protection before a more permanent fix is developers.

As for a permanent fix, updating devices to Android version 2.3.4 is necessary, but that won't be an easy step to take. Generally, even minor system updates are only available from wireless network operators and handset vendors. Given the absolute lack of Android 2.3 on most devices, the probability that you'll be able to update your workforce to Android 2.3.4 in the near future is slim to none.

Beyond these steps, it is up to Google and Android developers to solve this security problem.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll