According to researchers at Ulm University Institue of Media Informatics in Germany, hackers can exploit Android authTokens when users are on an unencrypted Wi-Fi network.Android has another security problem.
The authTokens are used to login to sites like Facebook, Twitter and Google's calendar and contacts services. The security hole is found within the ClientLogin authentication used by Google services to access APIs. The vulnerability affects any Android smartphone user who has not updated to Gingerbread 2.3.4 (the researchers were unsure about whether Honeycomb 3.0 is affected). Considering that almost no Android phones have Gingerbread at this point, that means about 99% of users are vulnerable to the exploit.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis," the Ulm researchers wrote. "The short answer is: Yes, it is possible, and it is quite easy to do so."
The findings were first reported by The Register.
Tokens used by ClientLogin are stored for two weeks and the security hole allows hackers to break into the phone and access the tokens even if the information is not being actively sent through an unencrypted network connection. The researchers said that the attack is similar to a hack known as sidejacking that steals cookie sessions of websites and is what allowed the Firesheep plugin that made noise earlier this year to attack users.
What this really comes down to is if a device is using HTTPS to send information or not. HTTPS (Hypertext Transfer Protocol Secure) adds a layer of SSL/TLS to HTTP that gives data a 128-bit to 256-bit encryption on data being sent. It is not impervious to hack, but it is difficult and prohibitive for black hats looking for an easy target.
Researchers keep finding holes in Android that disclose data without the users knowledge or consent. In January there was a vulnerability found in Android 2.3 where data was siphoned if a user clicked on a phishing scam link. That was preceded by a similar weakness found in November 2010. Outside of specific builds, there was also the DroidDream "rageagainstthecage" attack through malicious applications in the Android Market that Google had to remotely deactivate from users phones.
The researchers suggest that users avoid open networks (always good advice) and deactivate automatic application syncing. When applications using authTokens automatically sync on an open network, they make themselves wholly available to whoever is looking. For developers, if possible, always use HTTPS and use oAuth authentications instead of authToken and shorten the length in which authTokens are stored.
Security is a constant battle. All big corporations and governments are pretty much always under attack. Consumers are no different. What it often comes down to is common sense. Do not download applications that have suspect permissions to parts of your phone. If possible, do not grab Wi-Fi from unencrypted locations. Do not click on suspect links, no matter how many iPads they are offering if you take a survey. Digital security is like real-life physical security - keep your wits about you and you should be fine.