Android devices vulnerable via unsecured Wi-Fi networks, Google promises fix

Researchers at Germany's University of Ulm claim that 99 percent of Android devices are vulnerable to attack when they're used to log into a site on an unsecured Wi-Fi network.

The researchers said that devices running on Android 2.3.3 or older are vulnerable because of a faulty ClientLogin authentication protocol. ClientLogin is "meant to be used for authentication by installed applications and Android apps," the report said. "Basically, to use ClientLogin, an application needs to request an authentication (authToken) from the Google service by passing an account name and password via an https connection."

That means when a user logs into sites like Facebook, Twitter or Google Calendar, the information is saved for up to 14 days. As such, attackers can use that information to access their accounts.

In response, Google (NASDAQ:GOOG) said it will change the way its Android services work to ensure the information isn't vulnerable when a user connects to an open Wi-Fi network.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," Google said in a statement. "This fix requires no action from users and will roll out globally over the next few days."

For more:
- read this PCMag article
- see this AllThingsD post

Related articles:
Google pushing Android security update post-malware attack
Google nukes dozens of Android apps after malware scare
Google activates Android Market app kill switch
Google yanks PhoneFusion app from Android Market
Banned Kongregate Arcade app returns to Android Market 
Google extends Android Market to the web
Google 'not happy' with Android Market app sales

Suggested Articles

A key focus for Cambium’s product launch is removing the silo between fixed wireless and Wi-Fi technologies.

Verizon, AT&T and T-Mobile are each telling the FCC to ignore a call from Charter to change rules for the C-band in order to protect CBRS users.

Ericsson can thank Kathrein for some of its innovations in the mid-band 5G antenna space, including the Hybrid AIR and Interleaved AIR solutions.