Android Smartphones Susceptible to Sniffing Attack
Apparently a recent report on Android based smartphone has revealed that most Android handsets on the market are susceptible to sniffing, or snooping attack whereby someone may be able to access contact and calendar data via an unencrypted WiFi network.
According to an article over on Cnet, although this issue has been sorted with the latest Android handsets, 99.7 percent of all Android devices still run older versions, and according to a Uni-ulm article titled Catching authtokens in the wild. The insecurity of Google’s ClientLogin Protocol,” an attack can be accomplished by an attacker sniffing an authtoken (authentication token) used by an Android handset when communicating with Google services.
The report says that it is fairly easy to attack Google Contacts, Calendar and Picasa Web albums on the newer Android smartphones as well as theoretically all Google services via the ClientLogin authentication protocol to gain access to APIs.
The latest Android 3.0 Honeycomb tablets and Android 2.3.4 handset do not have the problem Google has confirmed and says, “We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa.”
Here’s what the researchers say about how it works…” With the ClientLogin Protocol, applications request an authToken from the Google service by sending an account name and password via an HTTPS (hypertext transfer protocol secure) connection. The authToken is valid for up to two weeks and is used for subsequent requests to the Google service API. If the authToken is sent over unencrypted HTTP, an attacker could use network sniffing software, like Wireshark, to grab it.”
In finalising the researchers suggest that Android users should update their firmware as soon as possible to Android 2.3.4, which is all well and good if your carrier delivers said update in a reasonable time.
But apparently there is a way round the problem if you don’t have Android 2.3.4 and that is to turn off auto-sync in the settings menu when connecting with open WiFi networks, or avoid them when using apps.