Jump to content

security leack in android below 2.3.4

Guest rascas

By Guest rascas
in ZTE Blade / Libra ROMs & ROM customisation

 Share

Recommended Posts

Guest devilkazuya

Guest devilkazuya

Posted
Posted

I have just read the article and also read about this previously on other news sites and apparently it has to do with browsing on open wifi networks. Reading from the article you posted, google calendar is the only one that seems to be affected which i dont personally use anyway and its best to keep gps off when not in use anyway.

Just disabling the GPS will not prevent your location from being sent. The phone can use phone triangulation and also can use WIFI to find your location. I guess it all boils down to the user and just be vigilant or <joke>buy a windows phone</joke> LOL.

Guest wbaw

Guest wbaw

Posted
Posted (edited)

options are upgrade to 2.3.4, use a vpn when using unencrypted public wifi, or don't use unencrypted public wifi. it's unlikely to be fixed in any versions below 2.3.4. don't install the facebook app either.

Edited by wbaw
Guest rascas

Guest rascas

Posted
Posted

So not using open Wlans is enough to be safe?

... at least as long as cyanogen is stable enough :unsure:

Guest wbaw

Guest wbaw

Posted
Posted (edited)
So not using open Wlans is enough to be safe?

... at least as long as cyanogen is stable enough :unsure:

Not using public or unencrypted wifi should help to prevent against that method of attack. You can't connect to the same network as a bad guy that wants to steal your google/facebook/any other website login info, without using an additional layer of encryption, like a vpn.

http://codebutler.com/firesheep?c=1

Edited by wbaw
Guest Orbbman

Guest Orbbman

Posted
Posted

Uh, hey, that's also a problem for Blackberry, Nokias, Sony Ericssons, iPhones - general internet problem? :unsure: Maybe it's a "revenge" on the "iPhone Tracking System". You definetly can't reduce the problem only on Android. :)

Guest crblues

Guest crblues

Posted
Posted (edited)
Uh, hey, that's also a problem for Blackberry, Nokias, Sony Ericssons, iPhones - general internet problem? :P Maybe it's a "revenge" on the "iPhone Tracking System". You definetly can't reduce the problem only on Android. <_<

I was thinking exactly the same... hehehe

If someone read a bit about "man in middle" attacks will find out that it is a quite common problem that exists with any type of unencrypted connection over wi-fi... :rolleyes:

Look for "pineapple" and wi-fi...

Ohh and if you want it to be a secret, don't put it on the internet... would you send your account number and pin in a postcard?

Edited by crblues
Guest jurrasstoil

Guest jurrasstoil

Posted
Posted

Is this really just for unencrypted wifis?

What about sitting in a hotel lobby that uses wpa2 and you get the key when you check in - wouldn't everyone who is using the network be able to do the same thing?

Guest wbaw

Guest wbaw

Posted
Posted
Is this really just for unencrypted wifis?

no

What about sitting in a hotel lobby that uses wpa2 and you get the key when you check in - wouldn't everyone who is using the network be able to do the same thing?

yes

Guest german_psycho

Guest german_psycho

Posted
Posted

Just use a VPN when connecting to public wifis and you are safe..

Guest curl66

Guest curl66

Posted
Posted

this crap is running throug the newspaper everywhere.

there is ALWAYS a risk of somebody sniffing your data on unsecured wireless networks.

there are many APPs for android and iphone that dont use encryption anyway. and nobody knows and so dont care about.

DONT USE SENSITIVE APPS ON UNSECURED PUBLIC NETWORKS!

USE YOUR OWN BRAIN!!!!!!! THINK ABOUT SECURITY.

SECURITY STARTS WITH YOURSELF! dont whine about such "bugs". there are many of them, everywhere.

Guest ColdEmbrace

Guest ColdEmbrace

Posted
Posted

I think everyone is missing the point, this wasn't about people sniffing open networks, it was about people making open network specifically to sniff your data, e.g living near starbucks and creating an identical SSID so that you connect to the wrong WAP and divulge your data.

This was not about people linking onto the same open WiFi as you and stealing your data from the network.

Guest Schwinni

Guest Schwinni

Posted
Posted
I think everyone is missing the point, this wasn't about people sniffing open networks, it was about people making open network specifically to sniff your data, e.g living near starbucks and creating an identical SSID so that you connect to the wrong WAP and divulge your data.

This was not about people linking onto the same open WiFi as you and stealing your data from the network.

That really doesn't matter.

The point is that some services sending password (or in this case the tokens) shall use HTTPS!

Guest wbaw

Guest wbaw

Posted
Posted
I think everyone is missing the point, this wasn't about people sniffing open networks, it was about people making open network specifically to sniff your data, e.g living near starbucks and creating an identical SSID so that you connect to the wrong WAP and divulge your data.

This was not about people linking onto the same open WiFi as you and stealing your data from the network.

It is about people packet sniffing on public wifi networks. There is no need to set up a fake ap. You can connect to your local public wifi & see what everybody else is sending across that network (as long as the data isn't encrypted). Most web services don't use encryption or any other protection against this kind of man in the middle attack.

It isn't just Google & it certainly isn't just Android affected by this. You should be using another form of encryption, like a vpn, if you're using a public wifi service.

Guest Ibcus

Guest Ibcus

Posted
Posted

Isn't the problem just that the token that is sent is not tied to the device it was sent from?

Seems an easy fix to tie the token to a specific device and block any other device that is trying to use it.

Guest wbaw

Guest wbaw

Posted
Posted (edited)
Isn't the problem just that the token that is sent is not tied to the device it was sent from?

Seems an easy fix to tie the token to a specific device and block any other device that is trying to use it.

OK, so how would it identify the device, then how would it prevent somebody who can see the network traffic doing a replay attack & impersonating that device?

The fix is strong encryption.

Edited by wbaw
Guest rascas

Guest rascas

Posted
Posted
It isn't just Google & it certainly isn't just Android affected by this. You should be using another form of encryption, like a vpn, if you're using a public wifi service.

There is one thing i do not understand.

- As i read the articles about this leak, it seems as if it is app dependend, other devices some not even running android are on risk, too.

- the leak is fixed in 2.3.4

How can this be? How can it be an android leak if other devices - not running android - are affected and how can it be fixed in android 2.3.4 if it is at least partly app dependend?

If the above is true i would not call it an android leak.

Guest Nick Rhodes

Guest Nick Rhodes

Posted
Posted

The servers that handled authentication were configuired to accept both http and https connections.

2.3.4 initiated a https connection.

Other devices initiated a http non secure connection.

What I think google have done is configured their servers to redirect the http to the https connection (this is something we do on one of the websites I develop).

Cheers, Nick

Guest rascas

Guest rascas

Posted
Posted
What I think google have done is configured their servers to redirect the http to the https connection (this is something we do on one of the websites I develop).

Cheers, Nick

That would fix the google apps side. And google apps only but not an android leak.

I am a little bit confused. :P

Guest Schwinni

Guest Schwinni

Posted
Posted
That would fix the google apps side. And google apps only but not an android leak.

I am a little bit confused. :P

What Android leak?

If an program chooses to communicate only via HTTP it is the fault of the application's developer.

The calendar app has this problem and Google can fix that because they force HTTPS when the tokens are exchanged.

You have exactly the same problem when using your notebook in such an environment.

When you decide to connect to your mail provider with POP/IMAP & SMTP instead of POPS/IMAPS & SSMTP you may not wonder that everybody in your WLAN can read your mails!

Guest rascas

Guest rascas

Posted
Posted
What Android leak?

The android leak everybody is talking about.

But i am with you, i would not call it an android leak, too if it is just an issue using unsecure apps in an wlan - open or secure.

If this is so, why is everybody talking about an adroid leak and why is Google rolling out a fix for android...

There must be more, than just the app issue.

Guest Schwinni

Guest Schwinni

Posted
Posted
If this is so, why is everybody talking about an adroid leak and why is Google rolling out a fix for android...

There must be more, than just the app issue.

Google is rolling out a fix for Android?

So all Android phones are upgraded to 2.3.4?

Seriously, Google fixes that on the servers' side.

The login was secured by SSL anyway, but older version of the apps (found in ROMs < 2.3.4) uses non-SSL when exchanging the token.

Google now sets an rewrite rule to force SSL.

Just open http://webmail.uni-wuerzburg.de for example and see what happens to the protocol.

That's what Google rolls out on their servers.

Guest rascas

Guest rascas

Posted
Posted
The login was secured by SSL anyway, but older version of the apps (found in ROMs < 2.3.4) uses non-SSL when exchanging the token.

Google now sets an rewrite rule to force SSL.

I have read that on a german site. But on english sites they talk about "rolling out" ...

So it seems as if there are many guys out there with different ideas.

Instead of a rewrite rule, rolling out the 2.3.4 apps would be an option, too.

So let's wait and see.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept