A weakness with an Android security feature called ClientLogin in older versions of Android OS leaves 99.7% of all Android devices vulnerable to leaking data on an unsecured WiFi network. Researchers from Ulm University found that it was possible, and even “quite easy” for the bad guys to launch an “impersonation attack” and hijack your Google digital credentials using this flaw, and then use those credentials to log on to your Google accounts (calendar, Gmail, and everything else).
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” researchers at the Institute of Media Informatics of Ulm University wrote in its report. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”
The Vulnerability
ClientLogin is a technology developed to make mobile services more secure. As explained by The Register, which first covered the research, ClientLogin allows users to log in to Google services once, creating a digital token that is then used for any additional access. This results in your login and password information being transmitted once (once is more secure than “lots,” or even “twice”), which is good.
The problem is that before Android 2.3.4, that token was transmitted in cleartext, which simply isn’t secure. On an unsecured network controlled by the bad guys, that token can then be hijacked and used by said bad guys to access everything on Google you might use. This is bad.
The vulnerability has been fixed in Android 2.3.4 and later (including Android 3.0), which puts us back in the good column, but it turns out that almost no one has bothered to update beyond Android 2.3.3, leaving us squarely back in the bad column again.
Visual Aids
Google has always had a problem getting users to update to the newest version of Android. In the Android ecosystem, some devices can’t be updated without being rooted (similar to jailbreaking in iOS terms), while others are merely difficult to update and require the user to know what they are doing. Google is working hard on this issue, and the company has reportedly been trying to corral its hardware partners into taking this issue more seriously.
For now, however, 99.7% of Android devices are running Android 2.3.3 or earlier, as of the two weeks leading up to May 2nd of this year (15 days ago). While Android 2.3.4 corrects the problem with Calendar Sync and Contacts Sync (leaving Picassa Sync vulnerable), that version of the OS doesn’t even register with Google’s distribution breakdown. Android 3.0 (Honeycomb) also fixes the problem, though the researchers weren’t sure about Picassa Sync in that version of the OS.
Let’s look at those numbers in a pie chart:
Breakdown of Android versions installed on Android devices
Data collected during two weeks ending on May 2, 2011
Chart by The Mac Observer from data provided by Google
That chart is kind of messy, so we broke the data down further into the percentage of users with Android 3.0 and everything else.
Breakdown of Android users affected by the vulnerability
Data collected during two weeks ending on May 2, 2011
Chart by The Mac Observer from data provided by Google