The Latest in IT Security

Android’s Anomaly?


There are reports coming out today about Google Android and how approximately 99.7% of its users are potentially open to compromise.  This news cycle started by the Ulm University publishing some information on the 13th of May showing some results.  I'm sure this story will develop and CTAC may follow-up to my blog with more details; however, let us focus on what journalists are reporting as fact:

  1. Upgrade to Android 2.3.4 or 3.0.
  2. Versions 2.3.3 and prior are vulnerable.
  3. Your Android and an attacker must both be physically logged into the same public unencrypted WiFi connection.

The issue at hand is the vulnerable OS versions connect into Calendar Sync, Contacts Sync and Picasa Sync in the clear plaintext.  The new version of Android connects to these services over WiFi via encryption, or HTTPS.  The exclusion is Picasa Sync which may still use plaintext connection.  A chart provided by Ulm University is shown for convenience below:


Android version Calendar Sync Contacts Sync Picasa Sync (Gallery)
3.0 yes yes ?
2.3.4 yes yes no
2.3.3 no no no
2.2.1 no no n/a
2.2 no no n/a
2.1 no no n/a


What exactly is the issue, now that we know how to potentially protect ourselves?  Google uses a protocol called ClientLogin for authentication into applications.  Unfortunately the implementation of ClientLogin that sends back a token called authToken may be in the clear plaintext.  And it is during a public open WiFi that this authToken may be swiped by an attacker, and then used to impersonate you.

What is the feasibility of this occuring?  Lots of cybercrime occurs remotely.  Sure there is WiFi "wardialing"; however, the chances I think of a regular user coming under attack are probably not that high.  Being paranoid, I still recommend upgrading your Android OS and stay away from Public WiFi networks.  Be mindful of where you are and what your systems connect into.


Portions of this page (Google Android Image) are reproduced from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments