Researchers at the German University of Ulm have uncovered a vulnerability that exposes most of the Android mobile operating systems to attacks that may stole the personal data stored in the memory of the smartphone.
The discovered vulnerability allows attackers to obtain authentication data needed to access the calendar function, the contacts and other information stored on Google servers.
The blame for this security flaw is the poor implementation of an authentication protocol called ClientLogin used by all versions of the Android operating system, including the recently released Gingerbread 2.3.3.
At each login, the relevant information to access Google Calendar and Contacts applications are sent in unencrypted format, with the possibility to be intercepted before reaching its destination, which can then be used to access the personal data of the targeted user for 14 days.
Attacks carried out by stealing the authentication data are very easy, especially if the users targeted are connected to an unsecured wireless network, such as those found in public places. The systematic obtaining of the authentication data from multiple users is possible by creating a Wi-Fi access point with same SSID identification code as one of the nearest public network, where mobile visitors are already configured to connect automatically and the new entrants have no reason to doubt the security of the network.
In most cases the applications installed on Android phones are configured to automatically synchronize with Google’s servers as soon as an Internet connection is available. While the syncing with such a hotspot phantom probably it would fail, the initiation of the operation being sufficient for attackers to obtain authentication data for any of the applications that have tried to contact Google’s servers.
Given the facts that you probably are in the 99%-area of vulnerability, it’s good to know how you can protect:
1. Temporarily disable the function of synchronizing contacts and calendar (Settings, Accounts & sync, choose the current account – and there uncheck Gmail or ActiveSync synchronization for contacts and calendar). Reactivate the sync when you’re confident that there aren’t any eyes that spies your traffic;
2. Use as less as possible the free WiFi connections;
3. Take a quick update to the newer version of Android;
4. Even if more expensive, choose to synchronize via 3G.