[IH8Rice]

the great android has problems? wheres out tech savvy wizard when we need him??

An Android personal data leakage epidemic has just been revealed. The vulnerability affects 99% of Android phones and may allow hackers to steal your Facebook, Google Calendar, or other personal data if you use a rogue open Wi-Fi network. Here's how to protect yourself.
The vulnerability affects apps that use an authentication protocol known as ClientLogin in Android 2.3.3 and earlier. The ClientLogin API is supposed to tighten security and improve performance of apps, because Google's servers only need to validate your login information once, and your username and password are sent only once; afterwards, the app uses a token instead.

However, unless your device is one of the 1% with Android 2.3.4, those credentials—for Google Calendar, Twitter, Facebook, and other accounts—are submitted in the clear. This can give attackers access to those accounts if you unwittingly connect to an unencrypted wireless network set up by the atttacker.

http://gizmodo.com/5802705/android-data-vulnerability-how-to-protect-yourself

 

[binary visions]

...and Google is plugging the leak right now, server-side, with no software modification necessary:

http://gizmodo.com/5803130/googles-plugging-that-potential-android-personal-data-leakage-right-now

 

[IH8Rice]

phew, that makes it okay.

edit: i thought my link had mentioned them fixing it

 

[binary visions]

Of course it's not okay. But it's being addressed immediately and requires no intervention on the part of the customers. That sounds like the best response you could ask for, no?

 

[jonKranked]

also, the potential issue only occurs during a behavior/usage which is user initiated. don't wanna be at risk? simple, dont connect to an open/rogue wifi.

 

[IH8Rice]

also, the potential issue only occurs during a behavior/usage which is user initiated.

that doesnt make it any less of a problem.
i see this being more of a issue then apple's tracking system.

 

[jonKranked]

that doesnt make it any less of a problem.
i see this being more of a issue then apple's tracking system.

lol how?

its a risk based on a user initiated activity, and hence won't affect 100% of the user base 100% of the time, and can be avoided by the user.

the apple tracking issue affected 100% of the user base 100% of the time, and there was no way for the user to prevent it / opt out.

 

[IH8Rice]

lol how?

its a risk based on a user initiated activity, and hence won't affect 100% of the user base 100% of the time, and can be avoided by the user.

the apple tracking issue affected 100% of the user base 100% of the time, and there was no way for the user to prevent it / opt out.

because you could only get the information from an iphone if you stole the person's phone and or the computer that it was synced to.
this android issue effects 99% of the customers out there (if they connect to a open wifi signal)

 

[jonKranked]

because you could only get the information from an iphone if you stole the person's phone and or the computer that it was synced to.

...or if they gained remote access to the computer it was synched to, which eliminates the necessity of physical proximity to the device/data in question.

this android issue effects 99% of the customers out there (if they connect to a open wifi signal)

and that's a BIG if. The only time I ever connect to wifi is up at nolan's. My gf never uses wifi. Most of the people I know w/ android leave wifi off to help w/ the battery life.

Also, this breach necessitates physical proximity to intercept the wireless signal.

 

[IH8Rice]

...or if they gained remote access to the computer it was synched to, which eliminates the necessity of physical proximity to the device/data in question.



and that's a BIG if. The only time I ever connect to wifi is up at nolan's. My gf never uses wifi. Most of the people I know w/ android leave wifi off to help w/ the battery life.

Also, this breach necessitates physical proximity to intercept the wireless signal.

come on, the odds of someone gaining remote access to your computer is pretty low.

a few people that dont use wifi, doesnt make this any less of a issue. apple's flaw was only a issue if someone stole your phone or somehow had access to your computer.
most people i know (besides you i guess) that have a android phone, connect to a open wifi network when out.

plus this flaw gives people access to your personal information. didnt apple's issue only show where youve been?

 

[jonKranked]

come on, the odds of someone gaining remote access to your computer is pretty low.

a few people that dont use wifi, doesnt make this any less of a issue. apple's flaw was only a issue if someone stole your phone or somehow had access to your computer.
most people i know (besides you i guess) that have a android phone, connect to a open wifi network when out.

plus this flaw gives people access to your personal information. didnt apple's issue only show where youve been?

actually, it does. when you evaluate these kinds of potential breaches from a risk management standpoint, there's 2 factors:

A) sensitivity of the info (how personal is it)
B) how probably is it that access can be gained

For point A, I'd say its about a tie (apple vs android potential breaches). With the android issue, yea, its access to personal contact information. but chances are, not financial information, ssn, etc. but it is access to personal accounts.

for the apple issue, its not access to personal accounts, but by extrapolating the data, they could determine where you live, and where you work.

For point B, Apple definitely is the loser here. There's 3 ways the information could be gained (thus increasing probability of a breach): obtaining the phone, obtaining the computer its synched to, remotely accessing the computer its synched to. Not only that, the data itself is a pretty straightforward extract with free software.

For point B on android, the probability is a lot lower. 1) you have to be connected to wifi 2) the wifi has to be unsecured 3) whoever is doing the snooping has to be in the physical proximity to pick up the signal between your device and the wifi access point AND it has to be at the same time you are using it and 4) have the software capabilities to pick up your transmissions and access them (the software for which is harder to come by, and isn't as simple as extracting a db from an archive file)

 

[syadasti]

Open wifi with non SSL traffic is not secure and easily accessible, its not unique to Android and this type of attack is not news:

http://www.ridemonkey.com/forums/showthread.php?t=237513

Also regarding the tracking data, LEOs are already breaking the law and pulling data from iPhones and variety of others - how to use the iPhone tracking data is easy, so these criminal police departments can abuse the data however they please until they are put in their place:

http://www.popularmechanics.com/technology/gadgets/news/should-cops-be-alowed-to-scan-your-phone-during-a-traffic-stop-5587825?click=pm_latest

http://www.cellebrite.com/

 

[binary visions]

Open wifi with non SSL traffic is not secure and easily accessible, its not unique to Android and this type of attack is not news:

http://www.ridemonkey.com/forums/showthread.php?t=237513

I would say this particular vulnerability is different, though. Firesheep allows you to intercept a session and be a "man in the middle" for the duration of that session.

This actually allows you to capture the user credentials from what I can tell, allowing for future access to an account and it can be further exploited since most people share passwords across multiple sites.

It's definitely a severe bug but fortunately, it's being corrected for everyone with no user interaction, unlike the Apple fix which required a firmware upgrade.

 

[syadasti]

I would say this particular vulnerability is different, though.

No its not. They both involve security tokens taken over unsecured wifi, the only difference is the service and how long those tokens are valid vary by service and when the tokens have been grabbed in their useful life. On the particular applications in Android they may be valid for up to 2 weeks.

Firesheep: "Double-click, and you snarf their identifying token, and log in to the site in question as that person."

Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or deleting is possible once you have the token. The tokens are valid for up to two weeks, so there’s no hurry involved. A few months ago the Firesheep plugin tried to address this design flaw with web applications. Similar to the Firesheep plugin you are at risk when sharing a network with our attacker – a wireless network comes to mind.

See also the article the OP linked: "Further details on the vulnerability (which is pretty much like the Firesheep vulnerability but for mobile) are below."

Lots of major services fail on this front (yes I know Google is correcting in this instance). If you are going to carry on session with any service and you care about your data, don't use open wifi - it doesn't matter who is providing the open wifi, it has not ever been considered a secure connection - get a clue newbs.

More importantly, many cellular networks are still insecure because the providers are too cheap to upgrade to modern encryption. The equipment to spoof towers is cheap and accessible these days too:

http://www.nytimes.com/2009/12/29/technology/29hack.html?pagewanted=2&_r=1&partner=rss&emc=rss

http://www.pcworld.com/businesscenter/article/202317/gsm_phone_hack_faq_what_you_should_know.html

 

[binary visions]

Looks like it was an extremely poorly written phrase in the Gizmodo article. I just re-read it:

Google's servers only need to validate your login information once, and your username and password are sent only once; afterwards, the app uses a token instead.

However, unless your device is one of the 1% with Android 2.3.4, those credentials—for Google Calendar, Twitter, Facebook, and other accounts—are submitted in the clear.

I don't know what interpretation of those words leads to anything except "your username and password are submitted in the clear."

Reading other articles clarifies that it's the authentication token problem, which is a known issue with any unsecured Wifi network and a myriad of apps... and in that case, this problem is even less special, unique or noteworthy.

 

[stevew]

no facebook.

no twitter.

no google calendar.

no fvcking care.

 

[syadasti]

Reading other articles clarifies that it's the authentication token problem, which is a known issue with any unsecured Wifi network and a myriad of apps... and in that case, this problem is even less special, unique or noteworthy.

Yeah, its hype.

NEWSFLASH - unsecured network, not secure - water is wet OMGWTFBBQ!!!

But yeah, service providers should be doing important stuff over SSL at the minimum and there are lots of other important concerns in cellular networks too. As usual they won't do anything until a major incidence or some sort of mass media bad PR.

 

[I Are Baboon]

no facebook.

no twitter.

no google calendar.

no fvcking care.

Hitler didn't use these either.

Just sayin'.