Android handsets 'leak' personal data - New Item On BBC website

valve90210

valve90210

valve90210

Soldato
Joined
17 Jan 2006
Posts
4,313
http://www.bbc.co.uk/news/technology-13422308

Android handsets 'leak' personal data
Android phone owners are being urged to update their handset to avoid problems

More than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.

The data being leaked is typically used to get at web-based services such as Google Calendar.

The discovery was made by German security researchers looking at how Android phones handle identification information.

Google has yet to comment on the loophole uncovered by the researchers.

ID attack
University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub made their discovery while watching how Android phones handle login credentials for web-based services.

Many applications installed on Android phones interact with Google services by asking for an authentication token - essentially a digital ID card for that app. Once issued the token removes the need to keep logging in to a service for a given length of time.

Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot so criminals eavesdropping on the wi-fi traffic would be able to find and steal them, suggest the researchers.

Armed with the token, criminals would be able to pose as a particular user and get at their personal information.

Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.

"[T]he adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," the researchers wrote in a blog post explaining their findings.

Abuse of the loophole might mean some people lose data but other changes may be harder to spot.

"...an adversary could change the stored e-mail address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business," the team speculated.

There is no suggestion that attackers are exploiting the Android loophole at the moment.

Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software.

Some Google services, such as image sharing site Picasa, are still using unencrypted authentication tokens that can be stolen, found the team.

The researchers urged Android phone owners to update their device to avoid falling victim to attacks via the loophole. Google is also known to be working with operators and handset makers to get updates to people faster than at present.
Click to expand...

This is rather worrying news for many I'm sure!

I'm currently on Android 2.2 and waiting for HTC to roll out an update to 2.3 for the Desire Z, which with the Desire HD software update rolling out earlier this week, will hopefully come soon.

Valve
 
The researchers urged Android phone owners to update their device to avoid falling victim to attacks via the loophole.
Click to expand...

What update would that be then??...or is it just another stupid scare mongering story like the apple one a few weeks back that said iphones are secretly reporting locations back to apple etc.
 
This sounds a little more serious than the iPhone/Apple incident.

If it's correct then hoorah someone found it before the baddies did. But now it's out there in the public domain and we have to wait an insufferably long time for an update.
 
Has an actual technology website reported on this yet? BBC never seem to have a clue when it comes to technology-related news.
 
Spawn said:
What update would that be then??...or is it just another stupid scare mongering story like the apple one a few weeks back that said iphones are secretly reporting locations back to apple etc.
Click to expand...

It's fixed in the 2.3.4 update which only a very small percentage of Android users have at present.
 
Another reason not to wait for the official update and just get a stable custom ROM.

Samsung is terrible with updates for their older devices.
 
Even if google plug their apps, I'm sure many other apps don't use https.

That is why I have never used my phone over unsecured wifi.
 
I have 2.3.4, even if I didn't I still wouldn't be that bothered and would still be glad I moved away from the control freaks that are Apple.
 
Lol it made me laugh when the article said to update to the latest version of Android!!

Thats just one of the reasons Android is utter tosh because you can't just update to the latest version when stuff like this is fixed. The person who thought that leaving updates in the phone makers hands for a smartphone OS was a good idea should be shot! The OS is constantly changing so installing updates is a must ffs.
 
You must log in or register to reply here.
Back
Top Bottom