Who is navigating over an unencrypted Wi-Fi with his Android 2.3.x smartphone or tablet, can potentially expose his Google Calendar, Contacts and online photos to anyone sniffing the connection. Almost all users of Android are potentially affected by this security leak.
The attack vector is very simple and an attacker doesn’t need too much technical know-how in order to obtain the credentials. All what is needed is a Wi-Fi without encryption where the authentication information is sent in plain text. Even worse, if the smartphone has previously used a secured wireless network with the same name as the wireless network without encryption the device will automatically connect to this wireless network without asking the user for permission.
As soon as there is an Internet connection available, some Google services available on the Android phone will automatically try to sync with the Google backend. When using an unencrypted connection, the attacker can sniff the login information and impersonate the user for these services. In an unencrypted session, the authentication information (called authToken) remains valid for approximately two weeks, which is extremely long. The attacker can use the fact that this authentication information is not bounded to a login session or device and gain access to a multitude of services which use that authentication token.
All this is possible only because not all Google services are using an encrypted connection to communicate with the backend. Only the services below which have “yes” are using HTTPS, the others with “no” are using the unencrypted HTTP.
This attack is not something new. We have already seen this in Sidejacking attacks – stealing session cookies of a website – and the proof of concept has drawn a lot of attention. We have written in a previous post about the Firesheep plugin and how much media attention it got.
According to Google, only 0.3% of the Android market is using the version 3.0 of the OS. So, this leaves about 99.7% of the Android users unprotected against this type of attack.
Google has definitely a lot of work to do in order to protect its users and avoid such a bad publicity:
- Automatic synchronization of the services on Android should be done only when the wireless connection is secure and refuse to connect over unsecured connections
- Reduce the life time of the authentication token to hours or days
- Enforce the use of HTTPS everywhere
In order to be on the safe side, we advise our readers to not use unprotected wireless networks to login to any services which don’t use secured connections. Because it is not always easy to identify which service is using a secured connection and which don’t, I advise to never use unsecured connections to login to services. Depending on the vendor of your Android smartphone, you should also update immediately to Android 2.3.4 or 3.0, whichever available. However, it is known in the industry that these updates are not following close the releases of the Android OS and are usually coming months after.
Sorin Mustaca
Data Security Expert
Leave a reply
