Android Vulnerability: Use Precaution on Public WiFi

Yesterday, researchers from Germany’s University of Ulm reported that some Android applications transmit sensitive authentication data without properly securing it, making people vulnerable to having their private data (e.g. Calendar Contacts, Pictures) accessed by an attacker. When a vulnerable device transmits its authentication data, an attacker can eavesdrop and view transmitted data if you are connected to a public WiFi network or are using a hostile internet connection. Sending data unencrypted (e.g. via HTTP rather than HTTPS) is analogous to sending your sensitive data in clear envelope so that everyone can see its contents rather than in an opaque envelope.

The specific vulnerability is found in applications that use Google’s ClientLogin authentication service over HTTP, rather than HTTPS, such as Google Calendar and Contacts. An attacker can read a user’s digital credentials (i.e. “Auth Tokens”) when a vulnerable app on their phone syncs in the background. The attacker can then obtain full access to any of the services the vulnerable app interacts with.

Attacks are most likely to occur when using untrusted networks, such as public WiFi hotspots. When you access untrusted WiFi hotspots, an attacker can eavesdrop on your phone’s network traffic to capture your authentication data in order to impersonate you using the compromised applications.

One example the researchers suggest is how an attacker “could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”

Phones it affects: Continue reading…

Related Posts

Publishers Force Domain Seizure of Public Domain Music Resource IMSLP, the largest public domain music library on the Internet, has just suffered a damaging attack on the site’s infrastructure. In a wrongful action...
Anti SOPA/PIPA Protest: How it happened and what you can do The protest against Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA) has come and gone, but the fight is just getting starte...
Building a Distributed, Decentralized Internet – A Roadmap I know that I'm not Patrick, and I don't pretend to speak for anyone but myself here. I just want to say that I share Patrick's belief in the radical ...
Join EFF in Standing up Against Internet Censorship Over the past few weeks, we here at EFF have watched as whistleblowing website WikiLeaks has fueled an emotionally charged debate about the secrecy ...
Steer clear of Android Market and its DRM Google recently made headlines after they identified some malware being distributed through the Android Market. Not only did they stop distributing t...
ST-Ericsson and Linaro, working towards the first release By ST-Ericcson: Open source has become an important driving force in the smartphone industry and a particularly key area of focus for ST-Ericsson. We...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


One Comment

  1. So?

    When you connect to wifi hotspots generally you are warned this is not protected and be aware of data being transmitted. People using Android are generally away they sync and get/put data out to the internet. If you connect any device to a public/shared wifi connection and expect privacy without additional security like VPN connections then expect potential data leaks to 3rd parties.

    People can setup wifi hotspots, make it look like the hotels etc and take you credit card details. That’s no fault of a OS. Please..

Leave a Comment

Your email address will not be published. Required fields are marked *

*