Thursday, June 21, 2018
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Micron Had a Record Quarter in Terms of Revenue and Profitability
Bose Noise-Masking Sleepbuds Will Help You Sleep
Intel to Bring Silicon-Based Security to AI and Blockchain Workloads
Microsoft to Buy Bonsai to Build 'Brains' for Autonomous Systems
Instagram Unveils 10-Minute Videos, Reaches 1 Billion Monthly Users
Foxconn to Further Expand in the U.S. Market Though Vizio
Microsoft Releases Microsoft News App For Windows 10, iOS and Android
Galaxy S9 and S9+ Sunrise Gold Available in the U.S.
Active Discussions
Which of these DVD media are the best, most durable?
How to back up a PS2 DL game
Copy a protected DVD?
roxio issues with xp pro
Help make DVDInfoPro better with dvdinfomantis!!!
menu making
Optiarc AD-7260S review
cdrw trouble
 Home > News > Mobiles > Researc...
Last 7 Days News : SU MO TU WE TH FR SA All News

Wednesday, May 18, 2011
Researchers Show The Insecurity of Google's ClientLogin Protocol


German researchers launched an impersonation attack against Android smartphones and proved that Google's ClientLogin authentication protocol can pose risks for Android users.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken, German researchers Bastian K?nings, Jens Nickels, and Florian Schaub have shown, in their research at the University of Ulm, Germany.

"Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API," the researchers added. This means that for instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. So the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.

"The attack is very similar to stealing session cookies of websites (Sidejacking)," the researcher said.

The researchers tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services).

"Until Android 2.3.3 the Calendar and Contacts apps transmit any request in the clear via http and are therefore vulnerable to the authToken attack," the researchers found. "This affects 99.7% of all Android smartphones (stats from 2nd of May 2011). Since Android 2.3 the Gallery app provides Picasa Web Albums synchronization which is also not encrypted," they added.

Since Android 2.3.4, the Calendar and Contacts apps are using a secure https connection. However, the Picasa synchronization is still using http and thus is still vulnerable.

The researchers added that their sniffed authTokens were valid for several days (14 days for a sniffed Calendar authToken), which enables adversaries to comfortably capture and make use of tokens at different times and locations.

In order to collect such authTokens on a large scale an adversary, someone could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

Fixing the issue

What app developers can do:

- Android apps and synchronization services using ClientLogin should switch to https. In the newest Android release (2.3.4) this step was already taken for the Google Calendar and Contacts apps, but other apps need to follow. The Gallery app is developed by Cooliris who probably were not made aware of the issue. However, the Android security team told us that they are investigating the Gallery app as well. So hopefully a fix should be integrated in the next release.
- Google APIs offer more secure authentication services. Switching to oAuth for authentication would mitigate the authToken capture issue. Https should be used in addition to prevent synced data to be transmitted in the clear.

What Google/Android can do:

- The lifetime of an authToken should be drastically limited.
- Google services could reject ClientLogin based requests from insecure http connections to enforce use of https. Https is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs.
Automatically connecting to known Wifi-networks could be limited to protected networks. At least a respective option should be provided to users.

What Android users can do:

- Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
- Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
- Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
- The best protection at the moment is to avoid open Wifi networks at all when using affected apps.


Previous
Next
Sony Disables PlayStation Network Sign-in Due to New Security Loophole        All News        DROID X2 by Motorola Coming to Verizon Wireless
AMOLED Shipments Estimated to Grow Nearly Sixfold by 2015     Mobiles News      DROID X2 by Motorola Coming to Verizon Wireless

Get RSS feed Easy Print E-Mail this Message

Related News
Google to Bring Support for Android Messages to Desktop Browser
Google Uses Deep Learning to Predict When a Patient Will Die
Google to Invest $550 Million in China E-Commerce Site JD
Google Faces High Fine From Europe Over Android
Google Launches New Smartphone App in China
Google Pixel 3 and Pixel 3 XL Smartphones Coming This Fall
Google Takes The Lead Over Amazon in Smart Speaker Market
Amazon Stops Shopping Ads on Google: report
Google Outlines How it Manages User Data Ahead of GDPR
Google Lens Coming to Camera Apps, Maps Become More Personal
Google Releases Android P Beta, Previews Features at I/O
Google Adds One-tap, Suggested Options to Google Photos

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2018 - All rights reserved -
Privacy policy - Contact Us .