The revelation will again put the spotlight on Google’s approach to security with its mobile operating system, which is the most popular software for smartphones in the world. The security flaw has been fixed in Android’s 2.3.4 version of its operating softwares and beyond.
In March, Google was forced to remove more than 50 rogue applications, which could have stolen data or sent costly messages, from tens of thousands of Android devices.
The attack works when unsecured wireless access points that imitate public WiFi hot spots that the phone has accessed before – such as a coffee shop chain – capture an authentication token.
That token can then be used by attackers to access and modify personal data in Picasa, Google’s photo site, Calendar and Contacts. Business customers using Google apps on Android are not affected by the weakness because all traffic is encrypted by default.
“The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” said the Ulm researchers in a posting on their website.
“Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored e-mail address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
Google said of the flaw: “We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa.”
However, according to the researchers, the flaw still affects devices running older versions of Android, which make up 99.7 per cent of Google smartphones in use today.
“The latest research just shows that Android users need to be even more careful with their phones than they are with their PCs,” said Omri Sigelman, vice-president of AVG Mobilation, a provider of security software for Android.
“All platforms are vulnerable to hackers, particularly at the beginning of their lives, but the openness and popularity of Android means that it is especially at risk. Sadly, many operators don’t provide the necessary updates, leaving their users vulnerable to critical flaws like this one.”
The Ulm researchers recommended that Android users turn off “automatic synchronisation” in the settings menu when connecting with open WiFi networks and let their devices “forget” wireless networks they have used previously.
“The best protection at the moment is to avoid open WiFi networks at all when using affected apps,” they wrote.
The attack works when unsecured wireless access points that imitate public WiFi hot spots that the phone has accessed before – such as a coffee shop chain – capture an authentication token.
That token can then be used by attackers to access and modify personal data in Picasa, Google’s photo site, Calendar and Contacts. Business customers using Google apps on Android are not affected by the weakness because all traffic is encrypted by default.
“The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” said the Ulm researchers in a posting on their website.
“Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored e-mail address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
Google said of the flaw: “We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa.”
However, according to the researchers, the flaw still affects devices running older versions of Android, which make up 99.7 per cent of Google smartphones in use today.
“The latest research just shows that Android users need to be even more careful with their phones than they are with their PCs,” said Omri Sigelman, vice-president of AVG Mobilation, a provider of security software for Android.
“All platforms are vulnerable to hackers, particularly at the beginning of their lives, but the openness and popularity of Android means that it is especially at risk. Sadly, many operators don’t provide the necessary updates, leaving their users vulnerable to critical flaws like this one.”
The Ulm researchers recommended that Android users turn off “automatic synchronisation” in the settings menu when connecting with open WiFi networks and let their devices “forget” wireless networks they have used previously.
“The best protection at the moment is to avoid open WiFi networks at all when using affected apps,” they wrote.
By Tim Bradshaw taken from http://www.ft.com/cms/s/2/905bb4d6-813e-11e0-9360-00144feabdc0.html#axzz1MnhvGBQC
No comments:
Post a Comment