Thursday, May 19, 2011

Google Promises Automatic Android Security Fix

In the wake of Google Relevant Products/Services's self-proclaimed momentum at the Google I/O conference Relevant Products/Services last week, the creator of Android is getting hit with some stark realities about the security Relevant Products/Services of its open-source operating system. A newly discovered flaw has widespread potential.

There are 100 million activated Android devices, according to Google, and 400,000 new devices are activated every day. In all, researchers at Ulm University in Germany who discovered the flaw last week estimate about 98 percent of Android users are vulnerable.

"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," the researchers wrote in a blog. "Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data Relevant Products/Services APIs."

How Bad Is It?

Google responded with an official statement: "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts. This fix requires no action from users and will roll out globally over the next few days."

As Mike Paquette, chief strategy officer at Top Layer Security, sees it, Google is dealing with a serious vulnerability -- and individual users could indeed lose confidential information.

Still, he added, this doesn't reach the "sky is falling" category since the attacker would require some level of physical proximity to the victim to steal the authentication tokens that would enable fraud, theft or loss.

"This attack is similar to another known technique called 'session ID stealing,' where attackers could gain access to a user's e-mail account by 'stealing' an active session ID by 'listening' on a public Wi-Fi network Relevant Products/Services," Paquette said.

"Android users should avoid using public Wi-Fi or any Wi-Fi that is not using good encryption, and should consider disabling all use of client log-ins until they can upgrade Relevant Products/Services their software to fix this vulnerability. It is likely that attackers would target areas with large numbers of users of public Wi-Fi in order to have the greatest return."

Wait for a Fix?

Although Google is promising an automatic fix, the German researchers indicated consumers don't have to wait. Android users can update to Android 2.3.4 to sidestep the vulnerability. However, they also noted that it may take weeks or months for an update to become available, depending on the phone vendor.

The researchers also suggested that Android users switch off automatic synchronization settings when connecting with open Wi-Fi networks. Users can also let a device forget an open network previously connected to by selecting forget in network name settings, or just avoid open Wi-Fi networks.

As for Google, the researchers said the company should drastically limit the lifetime of an authToken. What's more, they said, Google services could reject client log-ins from insecure http connections to enforce the use of https, and limit automatic connections to protected networks.
 

Artikel yang Berkaitan

0 komentar:

Post a Comment