backtop


Print 21 comment(s) - last by croc.. on May 18 at 9:15 PM


To avoid getting your account illegally accessed, avoid the Facebook and Twitter apps for Android when on an open Wi-Fi connection. Simply use your browser of choice and navigate to the https version of these pages. Kill the Calendar app while you're at it, to avoid it being accessed.
Newly aired authentication hack poses serious, but avoidable risk to Android owners

Authentication schemes have often been adopted by widely used websites out of convenience, but they've also become a growing source of serious security risks in recent history.  In an open Wi-Fi network a stranger, with the proper tools, can see everything including your authentication token.  With that token they can access your Facebook or Twitter account, with little skill involved.

Such issues were long thought to be constrained to the PC, with programs like Firesheep making exploitation a cakewalk for novice hackers.  However, a weak authentication API (application protocol interface) has landed Google's Android OS as the latest victim of exploits.

Like PCs, Google's API requests a token by sending a password and user name encrypted via a clear http connection.  Since http is used, the response token is broadcast in plaintext over your network connection.  That means that one a public network everyone can see it.

The exploit was just discovered [press release] this week by Bastian Könings, Jens Nickels, and Florian Schaub, a trio of German researchers at the University of Ulm.  They conducted a proof of concept attack, using Wireshark to sniff the packets containing the authentication token from certain Android apps.  They found that any Android version prior to 2.3.4 (the most recent version of Android "Gingerbread") was susceptible.

The exploit affects all first and third party apps that make use of the ClientLogin API.  Apps that use this API for authentication include Facebook, Twitter, and Google's own Calendar app.

It is unknown whether iOS's authentication-dependent APIs are completely secure or whether one or more of them might have similar issues.  But pro-Apple commentators were quick to gloat about this apparent security embarrassment for Android.  Daring Fireball blogger John Gruber takes the opportunity to take a jab at the laggard pace of updates from Android hardware makers and phone carrier, writing:

I’m sure most Android handsets will be updated to version 2.3.4 or later very soon, so no worries.

While the exploit is indeed troublesome, there's still plenty that Android users who don't have the update can do to protect themselves.  First and foremost they can avoid open Wi-Fi networks.

If that's not an option, users can still safeguard themselves with a bit of work.

Android users can simply access Facebook and Twitter via the https versions of the pages in the browser, instead of using the commonly used Android apps.  There shouldn’t be any authentication issues if that approach is taken.

The calendar is a bit more problematic as there's no way to safeguard it.  Android users' best bet is to kill your calendar app when they're on an open connection.

Again these steps are only necessary if you are on an open Wi-Fi connection.

The good news is that Google appears to be moving to fix this issue sooner or later.  It already has enforced mandatory use of https (which does not reveal the authtoken in plain text) in its Google Docs API, and this change is expected to spread to the rest of the authentication-dependent APIs briefly.  Given the press coverage this hack is getting, we're guessing that will pushed out as a patch sooner, rather than later.

Until that patch arrives, follow the above described precautions whenever you're on an open network.

Last fall the iOS was shown to have a bug that gave unauthorized users full access to the phone app via a trick on the unlock screen.  While dangerous, that exploit was a bit different -- it required physical access.  By contrast this exploit doesn't even require a hacker to touch your Android handset.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Two things I wanted to point out
By Bateluer on 5/17/2011 6:12:42 PM , Rating: 2
1) Google already addressed the problem in 2.3.4, noted in the article that only prior versions are susceptible. The burden would be on carriers and manufacturers to get off their behinds and release OS updates to current versions. WTF are new phones still launching with 2.2, entirely unacceptable at this stage in the game.

2) If you've even got the slightest amount of gray matter upstairs, this exploit is meaningless. Don't connect to an unsecured WiFi, its foolish at the best of times.




RE: Two things I wanted to point out
By nolisi on 5/17/2011 7:17:58 PM , Rating: 5
Two things I want to point out:

1) Google has had years of releases behind 2.3.4 with intermediary patches/hotfixes/updates to their apps. What braindead developer thought it's a good idea to allow security tokens to be transmitted over HTTP? This is almost as basic as encrypting password transmission. Not encrypting critical security data is foolish ALL the time.

2) It's unreasonable to assume that people will never need to connect to unsecured WiFi, or WiFi that hasn't been compromised. Don't be the @$$h0l3 techie who thinks that people who don't have a thorough understanding of technology shouldn't be allowed to use it.

It's ironic that you think that you implicitly equate people (regardless of experience) who connect to unsecured wifi as being dumb, yet you hold the developer who (should) have an advanced understanding of security and how to securely transact sensitive authentication data blameless.

As much as I love my Android, this was pretty effing stupid to allow this kind of exploit for this long.


RE: Two things I wanted to point out
By nolisi on 5/17/2011 7:27:55 PM , Rating: 3
By the way, you can't allow this kind of BS when you're just releasing a cloud managed OS solution promising to relieve the burden of managing the PC for the average user so that they don't have to know/deal with as much in everyday computing life.


RE: Two things I wanted to point out
By dwalton on 5/17/2011 7:29:45 PM , Rating: 5
Thats the problem. Telling people its addressed in 2.3.4 is telling many that the problem will be addressed when they basically buy a new android phone.

I don't blame this on Android but Google, the manufacturers and the carriers.

1.) Google, you should be aggressive in trying to establish a more streamlined mechanism for updating Android phones in the wild. Given that no OS is going to bug or mistake free, Im not sure how anybody thought the current setup was a good ideal.

Plus, update security improvements shouldn't be dictated by performance or screen size. If old phone can't run the new version of Android then past versions should be patched seperately.

Its not like you haven't turn Google Marketplace into a stick instead of a carrot when it suited your needs. How about using that stick to support your userbase's needs.

2.) Manufacturers, you need to ditched your UIs. If you need to differentiate and you think your UI is the bomb, give them away on Google's marketplace. That way we can update that UI when its ready without it standing in our way of Android OS updates.

Furthermore if you all can release new phones with new versions of the OS every fews months, you can squeeze in some time to support your current products and customers.


RE: Two things I wanted to point out
By phantom505 on 5/18/2011 1:50:07 AM , Rating: 3
Rooted. Fixed. Droid Incredible.


By omnicronx on 5/18/2011 11:01:40 AM , Rating: 2
Please stop pretending as though installing CM7 is an easy process for more than a small percentage of users.

As someone who flashes their phone everyday, its clearly not for the faint of heart.

Many phones also don't support 2.3.4 yet at all, whether it be by leaked roms or CM7.. (such as the SGS that outnumbers your incredible by a large margin)


By ultimatebob on 5/18/2011 8:18:42 AM , Rating: 3
Even telling them to buy a new Android phone wouldn't work, as many NEW Android phones are still shipping with 2.2.

Maybe the security experts should start recommending that people should buy new iPhones instead. Maybe that would get Samsung's, HTC's, and Motorola's attention to this ongoing issue of slow or nonexistent Android updates on their phones.


By jrcaptain on 5/18/2011 9:19:20 AM , Rating: 2
Amen to that.


RE: Two things I wanted to point out
By lballs421 on 5/18/2011 2:59:28 PM , Rating: 2
Hit the nail on the head there! I am a big Google supporter but they really dropped the ball here. Google should be well aware of the risks of not being able to instantly update the security of a device that is always connected to the net... especially when that device contains massive amounts of valuable private data.


RE: Two things I wanted to point out
By croc on 5/18/2011 9:08:01 PM , Rating: 2
"... especially when that device contains massive amounts of valuable private data."

A small hand-held device that contains 'massive amounts of valuable private data' had best be well encrypted, password protected, etc. Holds true for laptops, ipads, etc. These types of devices CAN and WILL be easily lost, misplaced or stolen. If your 'private data' is so sensitive, treat it as such. NEVER depend on the security of the system to which you are connected. Be paranoid, because in this case they ARE out to get you.


RE: Two things I wanted to point out
By xSauronx on 5/17/2011 8:17:06 PM , Rating: 2
The overall lack of attention to security by entities like google and facebook is absurd at this point. It's no surprise to google these days that phone updates from vendors take far too long to get to their users, but they should have had https forced from *the start*

Its not a new protocol or idea, but hell, didnt they only start enforcing it on gmail through a browser just last year? Why is that? Why wasn't it being used from the start?

Facebook doesnt surprise me...they only recently offered an https login option, again, why so late? Is https that hard to implement?


RE: Two things I wanted to point out
By Zok on 5/17/2011 8:27:52 PM , Rating: 2
RE: Two things I wanted to point out
By Tony Swash on 5/18/2011 4:54:44 AM , Rating: 2
quote:
1) Google already addressed the problem in 2.3.4, noted in the article that only prior versions are susceptible.


I’m sure most Android handsets will be updated to version 2.3.4 or later very soon, so no worries :)


RE: Two things I wanted to point out
By croc on 5/18/2011 9:15:30 PM , Rating: 2
And I am sure that Apple will fix the large, gaping security flaws in the ophone platform, say, when the iphone 5 rolls out? Smugness and complancy are terms not really to be used in re: the 'jesus phone'. Neither is security, really.


"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki