Wednesday, 18 May 2011

Android nearly 100% leakage of user data

Researchers in Germany have discovered that if users use a phone Android (version 2.3.3 or earlier) to connect to Wi-Fi networks are not guaranteed, their personal data would risk falling into the hands of hackers.
Weaknesses in the security of Google are increasingly visible. Researchers Konings Bastian, Jens Nickels, and Florian Schaub at the University of Ulm has conducted a test and found that 99.7% of smartphones running on Google's Android operating system could easily be compromised by hackers mobile. The attacker can then use the data "leaking" to impersonate legitimate users and access online accounts such as Google Calendar, Twitter and Facebook.
According to researchers, the Android vulnerability stems from a flaw in the authentication protocol ClientLogin. This protocol is used in Android version 2.3.3 and earlier versions, according to The Register. Once users submit their login information, ClientLogin receive an application requires authentication (authToken) is sent to such a cleartext file. Because authToken can be used multiple times within 14 days, so hackers can login information stored on this file and use it for nefarious plot.
"We want to know whether it could actually launch an impersonation attack on Google services, so we have carried out their analysis, " the researchers wrote, "the short answer compact is: Yes, it can happen and quite easy to do so. Moreover, the attack is not limited to Google Calendar and Contacts. In theory, all Google services are used ClientLogin authentication protocol to access data services API.
This attack can only be made ​​when Android phones use a network is not guaranteed as Wi-Fi access point to send data. The researchers said hackers can perform such an attack when a device is connected to a network under their control.
 "To collect authToken on a large scale, hackers can set up a Wi-Fi access point with a common SSID of a wireless network is not encrypted. With the default settings, Android phones will automatically connect to a network is known from before, and many applications will attempt to synchronize immediately. When the synchronization fails, an attacker will occupy authToken for each service tried to sync. "
German researchers gave a number of methods to solve this problem for application development, Google Android and users. Accordingly, developers have used the application protocol ClientLogin "should immediately switch to HTTP. " Google should limit the existence of time and refused to sign authToken ClientLogin based connections are not secure. The researchers recommend that Android users should update their phones to 2.3.4 as soon as possible and turn off auto sync when connected to a Wi-Fi connection or avoid Wi-Fi network with no security sure.   
Buzz This

No comments:

Post a Comment