The Lookout Blog

Critical Android Vulnerability: Use Precaution on Public WiFi

Please see below for an important update on this story.

Yesterday, researchers from Germany’s University of Ulm reported that some Android applications transmit sensitive authentication data without properly securing it, making people vulnerable to having their private data (e.g. Calendar Contacts, Pictures) accessed by an attacker.  When a vulnerable device transmits its authentication data, an attacker can eavesdrop and view transmitted data if you are connected to a public WiFi network or are using a hostile internet connection. Sending data unencrypted (e.g. via HTTP rather than HTTPS) is analogous to sending your sensitive data in clear envelope so that everyone can see its contents rather than in an opaque envelope. The specific vulnerability is found in applications that use Google’s ClientLogin authentication service over HTTP, rather than HTTPS, such as Google Calendar and Contacts.  An attacker can read a user’s digital credentials (i.e. “Auth Tokens”) when a vulnerable app on their phone syncs in the background.  The attacker can then obtain full access to any of the services the vulnerable app interacts with.

Attacks are most likely to occur when using untrusted networks, such as public WiFi hotspots. When you access untrusted WiFi hotspots, an attacker can eavesdrop on your phone’s network traffic to capture your authentication data in order to impersonate you using the compromised applications.  One example the researchers suggest is how an attacker “could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”

Phones it affects:

Those running Android versions 2.3.3 and earlier.  Google patched this vulnerability in phones running 2.3.4 and above.

How you might be affected:

If you have a phone running an Android version 2.3.3 or earlier and are accessing the internet over an unsecured WiFi network, you are at risk.

To check what version of Android you are running, open the Settings application and navigate to Applications -> About Phone. Click “Software information”.  If you are running a version of Android 2.3.3 or lower, your device is vulnerable and you should use caution when accessing a public WiFi hotspot.

How you can stay safe:

At the moment, the best protection is to avoid open WiFi networks on your Android device, but if you need to use public WiFi here are some tips:

• When your device manufacturer offers a “system update,” update your phone immediately to the latest version of Android.
• Ensure that you are using a secured WiFi network.  To make sure you are, check “Settings” on your phone and only connect to networks that require a password.  Avoid using free WiFi hotspots such as those in coffee shops and airports.
• Let your device forget any public networks to which you previously connected. To prevent automatic reconnection, click on the open network name, hold down until you see a menu, then click “forget.”

Over the past few years there has been a big push to encrypt all sensitive data as it is transmitted.  For example, at Lookout, we use SSL (https) whenever you log into your account via the web or when your device communicates with our servers.  Currently, many web services like Gmail and Facebook by default do not use encryption for all data and it’s up to the user to opt-in.  Typically you can change these settings by going into the security module in your account and selecting the option to always connect via https.

We’ll keep you updated on this important news as more information becomes available.

Update: PC World reported today that Google will begin rolling out a patch to affected users today, May 18. Users need take no action to access the fix, which will take several days to roll out completely.