Wednesday, May 18, 2011

Researchers Find Android Security Vulnerability

As Google Relevant Products/Services's Android operating system has soared into the top ranks of mobile Relevant Products/Services platforms, a pending question is security Relevant Products/Services. Now researchers from the University of Ulm in Germany have reported that 99 percent of Android-based devices are susceptible to attack.

The researchers found that devices running Android 2.3.3 or older are most vulnerable when logging in over open Wi-Fi because of an insecure ClientLogin authentication. ClientLogin is used for authentication by applications, and it passes an account name and password through a wireless Relevant Products/Services connection.

'Impersonation Attack'

The researchers -- Bastian Konings, Jens Nickels, and Florian Schaub -- said they decided to investigate after reading a blog post by Dan Wallach from Princeton's Center for Information Technology Policy.

Wallach described risks from using Android smartphones over open Wi-Fi networks, as some Android apps Relevant Products/Services transmit unencrypted information, and he wrote that "an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar," or, as the researchers found in another posting, to Google Contacts.

The team said it wanted to know "if it is really possible to launch an impersonation attack against Google services," and found the answer is yes. It noted that it's "quite easy to do so," and could be done with any Google services by using the ClientLogin authentication protocol for access to data Relevant Products/Services APIs.

The researchers said the authToken, or authentication token that is requested from the Google service, can then be used for any later request to the API and is valid for up to two weeks. But if it's used in requests over unencrypted http, the authToken can be captured and used to access any personal data through the service API.

Advice To Google, Users

As an example, the researchers noted, someone could "gain full access to the calendar, contacts information, or private web albums of the respective Google user," allowing the intruder to view, change or remove any information or media.

The greatest vulnerability is in Android 2.3.3 and older, which is present on virtually all Android smartphones -- about 99.7 percent, according to the Android Developers web site. The researchers noted that Android 2.3.4 uses a secure Relevant Products/Services https connection for Calendar and Contacts apps, but the Picasa synchronization still uses plain http and is thus vulnerable.

They also said the vulnerability is not limited to standard Android apps, but applies to any apps that use the ClientLogin protocol over http rather than https.

The researchers advise all third-party app developers and synchronization services to switch to https. It also recommended that Google, whose security team has said it is investigating, should drastically limit the lifetime of an authToken, and that Google services should reject ClientLogin-based requests from insecure http connections.

As for users, the researchers suggest updating to Android 2.3.4, switching off automatic synchronization in the settings menu when connecting with open Wi-Fi networks, and avoiding open Wi-Fi networks when using the vulnerable apps.

Artikel yang Berkaitan

0 komentar:

Post a Comment