Published in Mobiles

Android phones vulnerable to user account attacks

by on18 May 2011


99.7% devices could leak user account credentials
German boffins claim that as many as 99.7 percent of all Android devices are vulnerable to an attack that might compromise data transfers over wireless networks.

The vulnerability is apparently caused by flaw in Google’s ClientLogin authentication protocol, used to authenticate communication between the device and apps. ClientLogin works by accepting user name and passwords via HTTPS and returns an authentication token to the app.

However, attackers can apparently seize the authToken, as many apps transmit it using unencrypted HTTP connections, which can then be used to access personal information. Researchers claim that attackers can easily gain access to contact information, calendar info, private web albums and other information, which can then be used to collect sensitive information.

All Android versions prior to Gingerbread 2.3.4 feature the vulnerability. Since the new update is available only on a handful of phones, this means that almost every Android phone currently in use is open to attack.

More here.

 

Rate this item
(3 votes)