Security Hole Found in Android Phones
Wednesday, May 18, 2011 at 6:13AM
Rick C.Limpert in Android Phones, Gadgets, Internet, News, Security flaw, Telephones, hole, login

A recent report says some 99.7% of Android devices in circulation are vulnerable to an attack that could compromise sensitive data transmitted over a wireless network connection. The hole reportedly stems from a flaw in Google's ClientLogin authentication protocol, which verifies communication between Android devices and applications.

To use ClientLogin, an app requests an authentication token (authToken) from the Google service by passing an account name and password over an HTTPS connection. The returned authToken can be used for any subsequent request to the service API and in addition to remaining valid for up to two weeks, it's not bound to any session or device-specific information.

Those attributes wouldn't be an issue if attackers couldn't obtain an authToken, but that isn't the case.

The article notes that many applications can send such data over an unencrypted HTTP connection, making it easy for unsavory types to obtain the authToken with software utilities such as Wireshark.

I'm sure they are working on fixing this at this moment.  Androis users, look for an update or updates soon.

Article originally appeared on RickLimpert.info (http://ricklimpert.squarespace.com/).
See website for complete article licensing information.