German security researchers discovered that an astonishing 99.7% of Android smartphones leak unencrypted data when one logins to Google services. Hackers sniffing for this data over wireless connections could gain access to information stored in the cloud, so claimed by Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.
The researchers say the problem is in the authentication tokens. Mobile applications use these tokens to eliminate the need for the user to login every time whenever they access Google services. These tokens are handy but they are sometimes sent in plaintext form over wi-fi networks. This means that anyone who happened to be eavesdropping on the wireless network could grab these tokens with ease.
Much worse is that these tokens are not specific to the handset, which means that a token used for one handset could also be used on another, according to Könings.
A hacker can access Calendar and Contact data online and thereby steal private information such as phone numbers, home addresses, and email addresses. Such a person can also modify the stored information such as the email addresses of the victim’s associates hoping to receive sensitive or confidential material pertaining to their business. And these tokens won’t expire for a long period of time (14 days for Calendar tokens), which means that someone grabbing your token could have two weeks of access to your data.
To grab these tokens on a large scale, an enemy of yours could setup a wireless access point with a common SSID of an unencrypted wireless network such as Starbucks’ access point. With default settings, Android phones automatically connect to a previously known network and many mobile apps will also attempt to sync immediately.
As syncing data fails, your enemy would capture the authTokens for each service that attempted syncing. Since authTokens have the long lifetime, your enemy can easily capture a large number of tokens and make use of them later on from a different location.
So what can an Android user to do? The researchers suggest upgrading your handset to Android 2.3.4 when it becomes available. The upgrade offers HTTPS for Google Calendar and Contacts sync. They also said to switch off automatic sync when using public wireless access points and most importantly, avoid using affected apps on public WiFi connections. Following these suggestions would be very helpful especially if you are a heavy user of Google services.