Massive Android Security Hole Affects up to 99% of All Android Users

The Internet Patrol default featured image
Share the knowledge

Three researchers in Germany at the University of Ulm have discovered a massive security hole in Android – so big, in fact, that it affects at least 97%, and as many as 99%, of all Android users. The researchers, Bastian Könings, Jens Nickels, and Florian Schaub, have discovered that the security flaw allows anyone who is sniffing around your connection on an unsecured wireless network to acquire your Google authorization credentials from a specific token (the authToken), giving them access to your contacts, your calendar and, well – really any application that authenticates you by using your Google authorization credentials contained within that authToken.

And, it’s not hard to do.

Says Könings, “You don’t even need a programming degree. It is all very well documented by Google. These attacks are very easy.”

Moreover, adds Könings, each authToken is valid for up to two weeks.

Earlier today Google released a statement, saying that “We are aware of the issue and we have already been able to fix the problem in the latest version of Android for the calendar and contacts and we are currently in the process of solving it for Picasa.”

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

The issue affects all Android users except for that very small portion of Android users who already have Android version 2.3.4 – which is estimated to be no more than 3% of all Android users.

That means that if you are in the 97% to 99% running anything lower than 2.3.4 – i.e. 2.3.3. or lower, you are at risk.

Earlier this month, Google estimated that nearly 80% of Android users are running Android 2.1 or Android 2.2.

So what can you do until Google rolls out a security update for Android?

First, understand that the only way that this can get you is if you use your device on a wireless access point (i.e. via wifi). If you do not turn on your wifi, and if you only use your phone on your 3G or other cellular carrier network, then you are safe.

If for some reason you must use the wifi on your Android device, then the safest thing is to not connect to any unsecured (non-password-protected) wifi. In addition, delete all saved wifi connections, because one way that a hacker can trick your device is to give their own server a name that is very common, so the odds are that your device has connected to one with the same name, and then remembered it, and so will connect to that same-named hacker-provided wifi (iPhones are known for joining any network that calls itself “attwifi”).

Then, when you get that message on your device that an Android update is available, be sure to update immediately.

UPDATE: Google says that they have remedied the issue by changing how Android devices connect to Contacts and Calendar, requiring https: (a secure connection) instead of http:. We, however, remain unconvinced, as the issue was with the authToken being sent in the clear, and thus sniffable (and the authToken contains your authorization credentials) and there are other third party apps and services that use that authToken. Even Google admits that it is still an issue for their own service, Picasa.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

One thought on “Massive Android Security Hole Affects up to 99% of All Android Users

  1. This article incorrectly claims that Android users require an upgrade to be able to securely use an open WiFi network.

    Android users don’t need an upgrade, and they don’t need to avoid public WiFi, because Google has already rolled out a server-side fix. The problem with Calendar and Contacts has been fixed very simply, at the server end, by forcing the use of HTTPS to send the token.

    There’s still a vulnerability with Picasa, but far fewer users use that application, and it shouldn’t be used on an open network because of this problem.

    See http://www.engadget.com/2011/05/18/google-confirms-android-security-issue-server-side-fix-rolling/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.