Follow-up: Google Patches Up Security Hole Affecting Most Android Phones
Whuh oh. Researchers in Germany have found that most Android phones contain a dangerous security hole that, if exploited, would allow someone to access your accounts for certain Google services.
“The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.”
That’s a lot of nerd-babble but the basic procedure is that when a vulnerable Android phone connects to the internet, the Google apps on that phone will attempt to synchronize with Google’s servers. Part of the synching process includes sending a username and password which, if it proves to be legit, is stored as a special 14-day pass (the “token”) so that you don’t have to provide your username and password every time you log in.
If data thieves were to set up a commonly-named Wi-Fi access point—it’d be named Linksys or Netgear or Starbucks or whatever—in a populated area and a bunch of people’s Android phones established connections to that access point, the evil-doers would be able to capture these tokens and then turn around and use that information to log into someone’s account.
The trick only works on unencrypted Wi-Fi networks but, as The Register points out, about 99% of Android phones currently on the market are affected by this security hole.
To check if your Android phone is vulnerable, go to Settings > About phone > and check out the number listed under the “Firmware version” heading. If it’s 2.3.3 or lower, your phone is apparently at risk. If that’s the case, be careful about connecting it to unencrypted Wi-Fi networks. Using the phone’s mobile internet connection should be fine and any password-protected Wi-Fi network should be fine. Google has patched the issue with version 2.3.4 of Android, but very few Android phones have been updated yet.
Several Verizon phones, for instance, “remain stuck with Android 2.2.2,” as The Register points out. A Verizon spokesperson told the publication that “she couldn’t say when the company will provide customers with an updated version of Android,” and that people “should consider using their devices only on secured networks” in the meantime.
More on TIME.com:
‘Dislike’ Someone on Facebook and You’ll Be Sorry
UK Government Under Constant Cyber Attack