Catching Android Tokens in the Wild

Below is my interview with Shaun Nichols of on the latest Android security flaw:

Unsecured Wi-Fi leaves Android users open to attack


Android logo

18 May 2011, Shaun Nichols  , V3

Experts are warning of the dangers of unsecured Wi-Fi connections after a group of German researchers uncovered a security flaw which could leave Android users’ contact information exposed.

Researchers from Ulm University reported that many Android handsets and tablets are currently vulnerable to attack via an unsecured Wi-Fi connection when used to access authentication tokens for Google’s Calendar, Contacts and Gallery services. The vulnerability lies in the handling of the authToken component. When the user is connected on an open Wi-Fi connection, an attacker could capture and reuse the token to access data on the Google services. “The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” the researchers wrote. “For Contact information, private information of others is also affected, potentially including phone numbers, home addresses and email addresses.” The flaw is found in handsets running Android versions prior to 2.3.4 and tablets running Android versions prior to 3.0. The authorisation is performed over a secure connection on newer versions which prevents harvesting of the tokens. The researchers suggest that, if possible, Android handset owners should update to the newest version for their device.

Read more of this post