Security flaw found in Android phones

[Guest brinkley1988]

NEW YORK — A significant security hole has been discovered in Google’s Android operating system for smartphones that can allow attackers to gain access to users’ personal information without their permission.

The flaw, which was discovered by three research assistants at Ulm University in the southern part of Germany, affects approximately 97 percent of Android users.

In a recent blog post, the researchers found users of Android devices running versions 2.3.3 and below could be susceptible to attack when connected to unencrypted Wi-Fi networks. Anyone else on that network could gain access to, modify or delete Android users’ calendars, photos and contacts.

“It is quite easy,” the researchers wrote in a blog post. “The implications of this vulnerability reach from disclosure to loss of personal information.”

A spokesman for Google said the company is aware of the issue, and a fix is already in place for the calendar and contacts applications in the latest versions of Android, code-named “Gingerbread” and “Honeycomb.” A solution is also in the works for Google’s Picasa photo sharing service, he said.

Only about 3 percent of Android users have the latest versions of the operating system, but Google said Android users running older versions will get a fix “in the next few days.” Users don’t need to take any action, and the patch will roll out globally.

The security flaw stems from Google making use of unencrypted login protocol for the affected services. By using HTTP, rather than the more secure HTTPS, “an adversary can easily sniff the (login information),” according to the blog post.

The kind of attack that can be performed on Android devices over unencrypted Wi-Fi networks is similar to so-called “Sidejacking” attacks on Facebook or Twitter. For instance, Firesheep, a free Firefox extension that collects data broadcast over an unprotected Wi-Fi network, allows users to gain access to other people’s Facebook accounts.

Though the researchers found that any unsecured application making use of an Android user’s photos, contacts or calendars could be compromised, the data an attacker can gain access to is limited to those three groups. The security bug does not, for example, allow intruders to view a user’s e-mails.

Google was able to fix the problem on its end by requiring an HTTPS connection for calendar and contacts synchronization. By solving the problem on its own servers, Google was able to get around a notoriously slow Android update process: after Google updates the code, manufacturing partners and carriers then manipulate the code for each device.

As a result, the vast majority of Android users are still running “Froyo,” which launched in May 2010. A quarter of users are still on “Eclair,” which came out all the way back in January of last year.

That means a patch for the security hole could have been months or years away for many Android users had Google not found a workaround.

In addition to switching to HTTPS, the researchers also suggested Google prevent Android devices from automatically remembering and logging onto unencrypted Wi-Fi networks. Google did not say whether it had taken any of those steps.