Researchers: 99 Percent of Android Devices Open To Security Risk
By Leslie Horn2digg
If you use an Android phone, you might be open to a security risk. Researchers at Germany's University of Ulm are claiming that 99 percent of Android devices are vulnerable to attack when they're used to log into a site on an unsecured network.
According to the research, devices running on Android 2.3.3 or older are vulnerable because of a faulty ClientLogin authentication protocol.
ClientLogin is "meant to be used for authentication by installed applications and Android apps," report authors said. "Basically, to use ClientLogin, an application needs to request an authentication (authToken) from the Google service by passing an account name and password via an https connection."
When a user logs into a site like Facebook, Twitter, or Google Calendar, their information is stored for up to 14 days, and attackers can use this information to access their accounts.
The researchers—Bastian Könings, Jens Nickels, and Florian Schaub—were inspired to tackle the subject after Dan Wallach of Princeton's Center for Information Technology Policy outlined the risks of using an Android smartphone in open Wi-Fi networks. They decided to launch their own attack to test the security of the platform.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis," they said.
"The answer is: Yes, it is possible and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."
Google did not immediately respond to a request for comment.
This is not the only recent report of Android vulnerability. According to a report from Juniper Networks and BullGuard mobile security, Android malware quadrupled between June 2010 and January 2011, with the greatest threat coming from legitimate apps that have been injected with malicious software.
Google, however, has the power to remotely delete malicious apps.