It seems as if 99% of Android smartphones may be at risk from a “ClientLogin” vulnerability that could allow cyber criminals to view or edit calendar entries, contact info and private web albums.
“To [access] ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks,” a team of Ulm University researchers explained in an official blog post.
“However, if this authToken is used in requests sent over unencrypted http, an adversary can easily sniff the authToken with Wireshark. Because the authToken is not bound to any session or device specific information, the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API.”
As Sophos Security researcher Graham Cluley notes, the above-mentioned vulnerability highlights the security risks associated with Google’s fragmented mobile OS.
“[Yes], the problem may have been fixed in Android 2.3.4, but 99% of Android users are vulnerable because they haven’t upgraded to the latest version (Gingerbread). Unfortunately it’s not always possible to easily update the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.
“There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren’t so simple for Google’s users. This fragmentation inevitably leaves Android devices open to security problems.”
So what can concerned Android owners do?
Well, if you can’t upgrade to Gingerbread, Cluley recommends avoiding open Wifi networks, as your communications may not be properly protected.
“Using 3G may eat into your data plan, but it’s far less likely that your communications are being snooped upon,” he added.