99.7% of Android Devices Vulnerable to Data Leak

| News

A weakness with an Android security feature called ClientLogin in older versions of Android OS leaves 99.7% of all Android devices vulnerable to leaking data on an unsecured WiFi network. Researchers from Ulm University found that it was possible, and even “quite easy” for the bad guys to launch an “impersonation attack” and hijack your Google digital credentials using this flaw, and then use those credentials to log on to your Google accounts (calendar, Gmail, and everything else).

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” researchers at the Institute of Media Informatics of Ulm University wrote in its report. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

The Vulnerability

ClientLogin is a technology developed to make mobile services more secure. As explained by The Register, which first covered the research, ClientLogin allows users to log in to Google services once, creating a digital token that is then used for any additional access. This results in your login and password information being transmitted once (once is more secure than “lots,” or even “twice”), which is good.

The problem is that before Android 2.3.4, that token was transmitted in cleartext, which simply isn’t secure. On an unsecured network controlled by the bad guys, that token can then be hijacked and used by said bad guys to access everything on Google you might use. This is bad.

The vulnerability has been fixed in Android 2.3.4 and later (including Android 3.0), which puts us back in the good column, but it turns out that almost no one has bothered to update beyond Android 2.3.3, leaving us squarely back in the bad column again.

Visual Aids

Google has always had a problem getting users to update to the newest version of Android. In the Android ecosystem, some devices can’t be updated without being rooted (similar to jailbreaking in iOS terms), while others are merely difficult to update and require the user to know what they are doing. Google is working hard on this issue, and the company has reportedly been trying to corral its hardware partners into taking this issue more seriously.

For now, however, 99.7% of Android devices are running Android 2.3.3 or earlier, as of the two weeks leading up to May 2nd of this year (15 days ago). While Android 2.3.4 corrects the problem with Calendar Sync and Contacts Sync (leaving Picassa Sync vulnerable), that version of the OS doesn’t even register with Google’s distribution breakdown. Android 3.0 (Honeycomb) also fixes the problem, though the researchers weren’t sure about Picassa Sync in that version of the OS.

Let’s look at those numbers in a pie chart:

Breakdown of Android versions installed on Android devices
Data collected during two weeks ending on May 2, 2011

Android Distribution Graph

Chart by The Mac Observer from data provided by Google

 

That chart is kind of messy, so we broke the data down further into the percentage of users with Android 3.0 and everything else.

Breakdown of Android users affected by the vulnerability
Data collected during two weeks ending on May 2, 2011

Android Distribution Chart

Chart by The Mac Observer from data provided by Google

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

Is just me or does the CSS seem to be a problem on this page? The right side column is quite wide.

Mikuro

I cannot understand how unencrypted HTTP can still be so common with login systems. USE HTTPS, DEVELOPERS! Jesus.

Sure, I’m not shocked that insecure networks are insecure. I always try to avoid them, but honestly I attributed that to my own paranoia. It really SHOULD be a moot point for just about anything important.

other side

In other news, 100% of all Apple devices with older non-updated systems also have security vulnerabilities.

Just saying…

Wraithleigh

This is blatant crap biased writing.  If you connect to any unsecure access point that’s not using encryption and you’re using http instead of https sites this is going to happen on just about ANY device - Ive been a Systems admin for well over 10 years, you can fool some people with this kind of writing and that’s what’s sad.

hardcore

The issue is that google is far too busy rushing about, trying to screw the world over, than to worry about your security.

Even if you try to get an update onto your system, it is not easily possible since most vendors are not that interested in you upgrading, since it dints their future market for selling a newer OS

Spellman

And it’s “corral”, not “coral”.  Coral is what the reefs are made of.

Zrotpar

It’s funny to me that on a site called “macobserver”, 3 of the last 8 articles (over 37%) are dedicated to tearing down the Mac’s competition rather than helping mac owners with their devices. My year-old Android device is running 2.3.4 without a hitch.

Got anything else, Apple?

jongo

Seems like yet another bogus article sponsored by apple, i-propaganda?

Txtraveler

I bought my Android phone in February of 2010 - 16 months ago - and I upgraded to 2.3.4 three weeks ago with no trouble at all.  In fact, it was accomplished automatically with a single screen tap on my part authorizing it.

I’m only on this site because of the comment about the Android OS being flawed - I didn’t realize it was an Apple site until after I had arrived.  If I had noticed I wouldn’t have bothered. 

If Apple is this hot and heavy about preaching to their own choir about the supposed flaws of their competition, it must mean they are worried about some of the faithful leaving the flock.

I’m pretty sure no Apple device that old will upgrade as easily to their latest OS as my Android did, but I can’t be positive because I don’t own any Apple devices…

Bosco (Brad Hutchings)

This issue actually does not have anything to do with the operating system version, and everything to do with the apps. The apps can be patched by Google and updated via pushed Android Marketplace updates. They do this with their core Android apps occasionally. More recent versions of the operating system install later versions of the apps.

The OS issue at hand would be automatically connecting to a particular named network. I’d have to see more about it to assess how important it is to a fix.

One technical detail that someone got wrong here (I’m too lazy to reread all three articles to identify who). An attacker does not have to intercept or forward/not forward anything. Attacker could just passively scan and not give any hint to the user that their information is being watched. And that can happen anywhere. As Mikuro noted, that’s why end-to-end encryption via https is a good standard practice.

I would expect Google to have the application side of this problem updated by month’s end and am awaiting Bryan’s illustrations depicting their ability to patch up a hopelessly fragmented ecosystem. Might I suggest ducks and tape?

mhikl

Don’t have time and wasn’t really interested in this Droidenstein topic but the trolls out in force have peeked my interest so will be enjoy my coffee and a good read in the morning.

Bryan Chaffin

Seems like yet another bogus article sponsored by apple, i-propaganda?

If you only knew just how funny/preposterous that is, you’d join us for a laugh.

And it?s ?corral?, not ?coral?.? Coral is what the reefs are made of.

Thanks for catching that. The article has been corrected.

It?s funny to me that on a site called ?macobserver?, 3 of the last 8 articles (over 37%) are dedicated to tearing down the Mac?s competition rather than helping mac owners with their devices.

Myopia, I name thee Zrotpar.

This is blatant crap biased writing.? If you connect to any unsecure access point that?s not using encryption and you?re using http instead of https sites this is going to happen on just about ANY device - Ive been a Systems admin for well over 10 years, you can fool some people with this kind of writing and that?s what?s sad.

You should look up the word “bias.”

Mikuro

If you connect to any unsecure access point that?s not using encryption and you?re using http instead of https sites this is going to happen on just about ANY device - Ive been a Systems admin for well over 10 years, you can fool some people with this kind of writing and that?s what?s sad.

It seems like the problem here is that the choice between HTTP and HTTPS is made for you by the system—and it makes the wrong choice. It is reasonable to assume that, for instance, the Gmail app will use HTTPS, since Gmail obviously supports HTTPS. And it does….except when it sends the login token. That’s not user error.

AFAIK there’s no simple way to tell whether an app uses HTTP or HTTPS behind the scenes.

RonMacGuy

Wow, tough crowd today.  But good for a chuckle.

Hey Bryan, I didn’t realize this was an ‘Apple site’ where you are here to simply help me with my iMac.  Hmm, well, I don’t really need any help with my iMac today, so I guess you can take the day off!!

Wait a minute.  Mac “Observer” - that doesn’t quite sound like a support site.  Hmm.  The term “Mac” does kind of mess things up though.  Have you guys considered www.techobserver.com yet?  I propose a name change to avoid the “bias” concerns!!

RonMacGuy

Hey Bryan,

Great news!!  www.techobserver.com is for sale!!!

From their website:

“The domain techobserver.com is for sale. To purchase, call BuyDomains.com at 781-839-7903 or 866-866-2700. Click here for more details.”

Just make sure when you transition to the new website you bring over all the history - I need access to BNB’s bold “in about a year” predictions for an annual review/laugh.

Lee Dronick

Don?t have time and wasn?t really interested in this Droidenstein topic but the trolls out in force

“When you resort to attacking the messenger and not the message then you have lost the debate.”
Addison Withecomb

mhikl

Sir H. It was late and had had a long day so didn’t have my filters on. Thanks for reminder. (help me with this one- in every way (something, something) we get better and better ??) Haven’t a clue but think it’s out of some nursery rhyme or story.)

Back to topic. On TMO we like information that ranges through the whole field of tech. Also, there are members and occasional readers who may have non-Apple products so such info is of interest.

Often, broad interest are addressed at this site because of the eclectic nature of its members. I, for example, occasionally visit non-specific Apple sites but don’t often enough. The experience we get from Apple may be different, in a positive or not so positive way, from the non-Apple experience. Why wouldn’t we be interested?

Three articles out of eight. By the law of averages, it’s bound to happen that more than one non-Apple specific topics will happen close together.

Lee Dronick

(help me with this one- in every way (something, something) we get better and better ??) Haven?t a clue but think it?s out of some nursery rhyme or story.)

The first thing that popped into my head is that it is from one of the Pink Panther movies. The one where Inspector Dreyfus was in the mental health hospital because Clouseau drove him off the edge.

Lee Dronick

something, something) we get better and better ??) Haven?t a clue but think it?s out of some nursery rhyme or story.

Apparently it is also in a sports prayer. It took me a few minutes to find that because I would rather watch Heidi, be it Heidi Kramer or Heidi Klum, than a football game.

Tiger

How to tell posters haven’t read the article:

1. I’ve upgraded to 2.3.4 and don’t have any problems. Well, if you read the article, you saw that its the versions prior to it that have the problems

2. They still make up the BULK of the Android base.

3. Oh, wait, MacObserver is only doing a summary report on someone else’s research that has nothing to do with Apple! 

How about reading the original story?

mhikl

oops. wrong post

Bosco (Brad Hutchings)

How about reading the original story?

Hey, how about reading what Google is doing on the server side to fix this for most of these users starting today?

Intruder

Good for them. Still need to fix Picasa, but it’s a start.

But your comment isn’t relevant to Tiger’s.

Bosco (Brad Hutchings)

But your comment isn?t relevant to Tiger?s.

Your comment isn’t relevant to mine. In fact, pretty much nothing is relevant in this thread today. An underlying assumption of the original paper that has been magnified by the articles is that Android OS version was the lynchpin problem. The paper seems a bit ignorant or dismissive about separation between applications and OS and what Google has done to update built-in apps, etc. And that’s fine. The articles latch onto this to make some big point about fragmentation, a point which Google’s actions to fix much of the problem today isn’t relevant.

Picasa itself is an app and service combo. It’s not baked into the Android OS. It is part of standard distributions. It can be updated separately from the OS, just like any other app/service on Android. See my post above for a hint of how Google will likely fix that problem for the 99.3% or whatever. That fix will take a little longer because it’s app development, not server-side settings.

Zrotpar

Hey Bryan, I didn?t realize this was an ?Apple site? where you are here to simply help me with my iMac.  Hmm, well, I don?t really need any help with my iMac today, so I guess you can take the day off!!

Funny - you’re joking of course.  This obviously IS an Apple oriented site, and Bryan is preaching to the choir here.  Your suggestion about “techobserver” would be a good one - IF the above wasn’t the case.  Macobserver is just fine.

I had a truly good chuckle when I checked my mailbox saw I was mentioned in Bryan’s response here - I’ve NEVER seen any writer bother to read comments about his articles before.  Now it might be because other writers generate too much controversy and have far more responses, or it might be because Bryan isn’t jaded enough to have stopped caring…but whichever it is, congrats Bryan on having a skin thick enough to handle the comments.  I am impressed!

With regard to Tiger, why yes, I did read the article.  Txtraveler said it better, but I meant the same thing - that the upgrade was easy, not that it solved any problems (I’ve actually never had any problems with my android phone).

While the article seems to base the focus of the sermon on the point that I am one of relatively few who have bothered to upgrade their phones, that fact - if true - rests on the heads of 1) the manufacturers who have distorted the OS enough that the upgrade is no longer automatic like mine was, and 2) the individuals who have not bothered to upgrade their devices.  Google is doing their part to fix flaws in the OS as they are found, just like Apple, MSoft, Symbian, Blackberry and pretty much everyone else who makes one.  While fragmentation is a bit of a problem for Android, it’s one that will eventually be solved as device manufacturers realize they are only hurting themselves.  I’m not worried…

...but it appears that somebody is, because the obvious point of the sermon is to keep the fanboys loyal.

Good luck with that!

Log-in to comment