Study finds 99.7% of Android phones prone to ‘impersonation attacks’
Android might look like a safe system, but researchers from the German University of Ulm have discovered that using it on an open Wi-Fi network, leaves a hole open for impersonation attacks. Which devices are prone to the attack? 99.7% of Androids, or pretty much every device except for the few ones running on Android 2.3.4. The researchers summed up their finding about whether it’s possible to launch an attack against Google services:
“Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”
It’s the unencrypted http protocol used by the ClientLogin that allows for the user’s password and username to be easily sniffed. The scale of this is pretty big as the researchers further explain:
Luckily, it seems that the secure https protocol has been implemented for the calendar and contacts authentication in Android 2.3.4, but pictures synced through Picasa could still be a subject to the attack. To minimize the chance of having your data stolen, you could avoid using public open Wi-Fi networks or turn off automatic syncing from the Settings menu in your Android device. Hopefully, Google will release a fix for the issue now as the research has been published, but in the meantime let us know your opinion. Is that a serious issue for you?
source: University of Ulm via TheNextWeb
It’s the unencrypted http protocol used by the ClientLogin that allows for the user’s password and username to be easily sniffed. The scale of this is pretty big as the researchers further explain:
“For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.”
Luckily, it seems that the secure https protocol has been implemented for the calendar and contacts authentication in Android 2.3.4, but pictures synced through Picasa could still be a subject to the attack. To minimize the chance of having your data stolen, you could avoid using public open Wi-Fi networks or turn off automatic syncing from the Settings menu in your Android device. Hopefully, Google will release a fix for the issue now as the research has been published, but in the meantime let us know your opinion. Is that a serious issue for you?
Things that are NOT allowed: