By this point, just about everyone knows how risky connecting to an unsecured wireless access point can be. Unfortunately, many public Wi-Fi hotspots forego security in exchange for convenience, and that ultimately leaves users exposed to attacks. Based on new research from the University of Ulm in Germany, Android users appear to be in even more danger than those on other platforms.

A weakness in Android versions 2.3.3 and earlier leaves authentication tokens stored on devices for a full two weeks after the initial login is made to services like Google Calendar, Facebook, and Twitter. An attacker can then launch an impersonation attack and interecept the token when a subsequent request is made. While the hole has been plugged in Android 2.3.4 and the tablet-friendly Android 3, most users remain unpatched (the overwhelming majority are still running Android 2.2). Worse still, even though the token vulnerability has been addressed, Picasa synchronization still puts users at risk — by transmitting data using unencrypted channels.

The Android team is currently working on a fix for this as well, but that means almost 99% of Android devices in use are at risk right now. As the University team told The Register, it’s not overly difficult to ensnare users with this type of attack. All it takes is setting up an unencrypted access point and broadcasting a common, familiar SSID — to which devices will automatically connect if they’ve done so before. Apps which utilize Android’s ClientLogin protocol and are running in the background would then immediate try to authenticate, enabling the attacker to harvest tokens.

A fix should be fairly simple: only allow ClientLogin to transmit data over HTTPS, for example, ought to be sufficient. Whether that will happen or not remains to be seen, so the best way to protect yourself right now is to completely avoid using unsecured wireless connections.

More at The Register
source: link