A security flaw in nearly all Android phones can leak contact, calendar and photo data to nearby hackers, researchers said. But is this a serious threat to Android security, or just an overblown bit of fear-mongering?
Let's walk through what we know to find out:
What's the issue?
Several Google Android apps use a method called ClientLogin to authorize the transfer of sensitive data to Web-based services. ClientLogin uses authorization tokens to pass the user's login and password through a secure https connection to a Web service, such as Google Calendar or your synced contacts.
The problem, according to researchers at Ulm University's Institute of Media Formatics, occurs once the token is validated and returned. It can then be used for up to two weeks in requests through insecure http connections, making it vulnerable to theft from a hacker over a Wi-Fi network.
What are the dangers?
A hacker could use the stolen token to gain access to calendars, contacts or Picasa images. The intruder could then steal or modify information within these services. Think corporate espionage or personal stalking.
The issue applies to all Android versions prior to 2.3.4 for contacts and calendars, and including 2.3.4 for Picasa Web alsbums. Researchers say it applies to 99.7 percent of Android phones, which isn't accurate because the data they use only counts users who have recently accessed the Android Market. Still, it's safe to say that the vast majority of Android phones are affected.
What's the likelihood of being attacked?
There's the rub. The attack requires the user and the hacker to be on the same Wi-Fi network. The researchers describe the possibility of evil twin networks, which spoof popular Wi-Fi access points like those at Starbucks, but the more likely threat comes from ordinary insecure Wi-Fi.
Even then, we're talking about a hacker who's sitting in close proximity with the sole intent of stealing data. Like the Firesheep mass-hacking tool that caused a stir last year, this issue is scary to think about, but getting hit with an attack is not very likely for average users.
What can users do?
The best thing to do is to stick with secure Wi-Fi networks. In Android settings, you can also turn off automatic synchronization when connecting to open Wi-FI. Updating to Android 2.3.4 would solve most of the problems -- although Picasa information is still vulnerable -- but that's entirely in the hands of wireless carriers and phone makers.
Should Google do something?
The researchers have a several for Google, including a requirement that all apps and sync services switch to https, as Google Calendar and Contacts have done in Android 2.3.4. They also recommend that Google switch to a more secure authorization service such as OAuth, limit the lifetime of authentication tokens, reject ClientLogin requests for http connections and create a way to limit automatic Wi-Fi connections to protected networks.