Researchers at multiple universities are cautioning that practically all smartphones running Google’s Android software could be allowing third parties access to digital tokens that could allow access to services such as Google calendar and Contacts.
The issue, which affects all devices running versions of Android prior to 2.3.3 is related to dealing with of the authentication protocol ClientLogin. According to researchers at the German university of Ulm the, once a user enters their credentials, the programming interface retrieves its token in clear text. With the token valid for 14 days, a window appears where attackers could use their new found access however they like.
The whole process is relatively easy to exploit too, according to the researchers.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,”
“The short answer is: Yes, it is possible, and it is quite easy to do so.”
This comes after a professor at Rice university demonstrated a similar flaw affecting Facebook, Twitter and once again Google Calendar. this time however the hack could only be carried out on an unsecured Wi-Fi network. Google has because patched the hole in Android 2.3.4 but failed to plug the whole when it concerns Picasa which allows web albums to potentially transmit sensitive data in the clear. Google is working on a fix.
The potential safety and security holes are exacerbated by Android’s fragmentation issues, which cause phones to remain on older software long after patches have been released. With carriers and device producers insisting on meddling with Google’s operating system updates can take months to get past their own software engineers. The result is a massive 99% of Android devices still being broad open to hacks.
Google recently said it will be working much more closely with carriers to try to decrease the time it takes for updates to be rolled out fully.
You can follow us on Twitter or join our Facebook fanpage to keep yourself updated on all the most recent from Microsoft, Google and Apple.