Gadgets19.05.2011

Android security vulnerability to be patched

Earlier this week (16 May 2011), The Register reported that researchers from the Institute of Media Informatics at Germany’s University of Ulm discovered a disconcerting security vulnerability that affected most Android devices.

The security hole potentially allows attackers to gain access to “all Google services using the ClientLogin authentication protocol for access to its data APIs” for up to two weeks. This includes, but is not limited to, Google Contacts and Google Calendar.

This is due to the use of authentication tokens (authTokens) that are stored on an affected device for up to 14 days, which are transmitted unencrypted to Google’s servers.

According to the researchers, the hole affects 99.7% of Android devices as it is present in all versions of Google’s Android mobile operating system before version 2.3.4.

Technical product manager of mobile devices for LG South Africa, Kenneth Hales, has also confirmed that the issue is manufacturer-agnostic. “Currently all Android devices in the South African market running versions older than 2.3.4 could potentially be vulnerable to this threat,” Hales said.

Be wary of unsecured connections

Hales warned that users should be wary of connecting to unencrypted wireless networks. If you connect to an open Wi-Fi hotspot with an Android device an attacker could potentially intercept your authToken and use it to gain access to at least your contact and calendar data on Google’s services.

Should you have to connect to an open hotspot, Hales concurs with the German researchers that users must turn off the “Background data” and “Auto-sync” options to protect themselves. “This will prevent the phone from Syncing on the network and sharing potential personal login details with unsuspected ‘sniffers’,” Hales said.

“If users [of LG Android smartphones] are in the habit of using free Wi-Fi for checking Gmail, they can setup their Gmail account on the LG Mail client using IMAP and SSL. This will ensure that mail sync is secure and personal information is not shared on the unencrypted network,” Hales added.

Fixes in the works

Hales said that LG does have solutions for updates and are looking at the logistics of updating the devices “in the wild.” However, it should be kept in mind that all new software and patches need to be done in conjunction with the local network providers, he added. “Devices planned for release later on in the year should not be susceptible to this vulnerability, as LG is working on a solution.”

Leaf International Communications, the distributors of HTC products in South Africa, forwarded the feedback they received from Google on the issue: “Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” Google said.

“This fix requires no action from users and will roll out globally over the next few days.”

Android security vulnerability to be patched << Comments and views

Show comments

Latest news

More news

Trending news

Poll

Which mobile network do you use for your primary smartphone?

View Results

Loading ... Loading ...
Sign up to the MyBroadband newsletter