An Android personal data leakage epidemic, as Gizmodo reports, has just been revealed. The vulnerability affects 99 per cent of Android phones and may allow hackers to steal your Facebook, Google Calendar, or other personal data if you use a rogue open Wi-Fi network. Here’s how to protect yourself.
Photo by Johan Larsson.
The vulnerability affects apps that use an authentication protocol known as ClientLogin in Android 2.3.3 and earlier. The ClientLogin API is supposed to tighten security and improve performance of apps, because Google’s servers only need to validate your login information once, and your username and password are sent only once; afterwards, the app uses a token instead.
However, unless your device is one of the 1 per cent with Android 2.3.4, those credentials — for Google Calendar, Twitter, Facebook and other accounts — are submitted in the clear. This can give attackers access to those accounts if you unwittingly connect to an unencrypted wireless network set up by the atttacker.
An attacker only needs to set up a Wi-Fi access point with a common SSID name, such as “starbucks”, and when your Android phone tries to automatically connect, the hacker can capture the authentication tokens for your accounts.
The best recourse here is to turn off automatic Wi-Fi connections and use 3G or 4G mobile service rather than an unsecured wireless network. If you do need to use Wi-Fi at a hotspot for some reason (e.g. you have a Wi-Fi only tablet), use something like the recently covered SSH Tunnel app, which creates a secure connection between your device and a server to keep data safe from prying eyes. As a very last resort, manually connect to an open Wi-Fi network only after verifying it’s the real deal.
Further details on the vulnerability (which is pretty much like the Firesheep vulnerability but for mobile) are below. You can also read up on how to stay safe on public Wi-Fi networks (for laptops, but settings may also apply to your other mobile devices) and why you should avoid “free public Wi-Fi”.
99% of Android phones leak secret account credentials [The Register]