Researchers at Germany’s University of Ulm have disclosed some unsettling discoveries about the security of the Android platform. “The vast majority of devices running Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned.”
“The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.”
“We wanted to know if it’s really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it’s possible, and it’s quite easy to do so.”
Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said.
A Google spokesman said the company’s Android team is aware of the Picasa deficiencies and is working on a fix.
[Via: The Register]