Almost 99.7% Android-based smartphones potentially leak user data which, if stolen, could be used to get information they store online.
According to University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub, Android smartphones leak login data for Google services, and could allow other access to information stored in the cloud. The researchers reportedly made the discovery while watching how Android phones handle login credentials for Web-based services.
Researchers say that the problem is in the way applications which deal with Google services request authentication tokens (several applications installed on Android phones interact with Google services through an authentication token). This token is essentially a digital ID card for that app, which once issued removes the need to keep logging in to a service for a given length of time.
Researchers discovered that many a times these tokens are sent in plain text over wireless network. This makes the tokens vulnerable to eavesdropping by criminals on Wi-fi networks.
And once stolen, criminals can pose as the particular user with the token and extract his/her personal information. As says the researchers in their blog, "The implications of this vulnerability reach from disclosure to loss of personal information for the (Google) Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."
Here's what Android users can do to prevent this data leak:
• Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
• Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
• The best protection at the moment is to avoid open Wifi networks at all when using affected apps.
Source: The Times of India
