Yesterday, researchers from Germany’s University of Ulm reported that some Android applications transmit sensitive authentication data without properly securing it, making people vulnerable to having their private data (e.g. Calendar Contacts, Pictures) accessed by an attacker. When a vulnerable device transmits its authentication data, an attacker can eavesdrop and view transmitted data if you are connected to a public WiFi network or are using a hostile internet connection. Sending data unencrypted (e.g. via HTTP rather than HTTPS) is analogous to sending your sensitive data in clear envelope so that everyone can see its contents rather than in an opaque envelope.
The specific vulnerability is found in applications that use Google’s ClientLogin authentication service over HTTP, rather than HTTPS, such as Google Calendar and Contacts. An attacker can read a user’s digital credentials (i.e. “Auth Tokens”) when a vulnerable app on their phone syncs in the background. The attacker can then obtain full access to any of the services the vulnerable app interacts with.
Attacks are most likely to occur when using untrusted networks, such as public WiFi hotspots. When you access untrusted WiFi hotspots, an attacker can eavesdrop on your phone’s network traffic to capture your authentication data in order to impersonate you using the compromised applications.
One example the researchers suggest is how an attacker “could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
Phones it affects: Continue reading…