All Android Phones Leak Google & Facebook Account Credentials

A German university ran a small research to check the strength of Android OS security system and they found out that 99% of the devices leak out Facebook, Google Calendar, Contacts and other Google service’s account credentials.  A hacker or a malware application can access all your personal details from Google servers if your Android is connected to a rouge WIFI hotspot! So next time you step in to T-Mobile, attwifi, starbucks, watch out for rouges around you if you are connecting Android device to their WiFi network.

Android_Phone

The Register says

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in clear text. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.

Note that this vulnerability is found in all the Android devices running versions 2.3.3 or earlier. By the way 99% of Android devices are running on the vulnerable operating system!

How To Protect Your Android

As the news about the vulnerability is out, the geeky team at Lifehacker drafted an excellent post on how to secure your vulnerable Android devices from this exploit.

The best recourse here is to turn off automatic Wi-Fi connections and use 3G or 4G mobile service rather than an unsecured wireless network. If you do need to use Wi-Fi at a hotspot for some reason (e.g., you have a Wi-Fi only tablet), use something like the recently covered SSH Tunnel app, which creates a secure connection between your device and a server to keep data safe from prying eyes. As a very last resort, manually connect to an open Wi-Fi network only after verifying it’s the real deal.

Photo by Johan Larsson.

Leave a Comment

Your email address will not be published. Required fields are marked *