Sunday, October 26, 2014
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Panasonic to Offload Sanyo's North America TV Business
Google's Pichai to Become Head of Product at Google: report
Internet Explorer 11 Toolkit Allows Enterprise Admins "Spy" On Their Employees
FCC Says Airwave Auction To Delay Until 2016
HP Broadens Moonshot Portfolio With Intel-powered Models
Microsoft To Keep Nokia Brand For Low-end Smartphones
LG Introduces Its First Octa-Core Application Processor
Cloud and Surface 3 Drive Microsoft's Revenue
Active Discussions
Copied dvd's say blank in computer only
How to generate lots of different CDs quickly
Yamaha CRW-F1UX
help questions structure DVDR
Made video, won't play back easily
Questions durability monitor LCD
Questions fungus CD/DVD Media, Some expert engineer in optical media can help me?
CD, DVD and Blu-ray burning for Android in development
 Home > News > Mobiles > Researc...
Last 7 Days News : SU MO TU WE TH FR SA All News

Wednesday, May 18, 2011
Researchers Show The Insecurity of Google's ClientLogin Protocol


German researchers launched an impersonation attack against Android smartphones and proved that Google's ClientLogin authentication protocol can pose risks for Android users.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken, German researchers Bastian K?nings, Jens Nickels, and Florian Schaub have shown, in their research at the University of Ulm, Germany.

"Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API," the researchers added. This means that for instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. So the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.

"The attack is very similar to stealing session cookies of websites (Sidejacking)," the researcher said.

The researchers tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services).

"Until Android 2.3.3 the Calendar and Contacts apps transmit any request in the clear via http and are therefore vulnerable to the authToken attack," the researchers found. "This affects 99.7% of all Android smartphones (stats from 2nd of May 2011). Since Android 2.3 the Gallery app provides Picasa Web Albums synchronization which is also not encrypted," they added.

Since Android 2.3.4, the Calendar and Contacts apps are using a secure https connection. However, the Picasa synchronization is still using http and thus is still vulnerable.

The researchers added that their sniffed authTokens were valid for several days (14 days for a sniffed Calendar authToken), which enables adversaries to comfortably capture and make use of tokens at different times and locations.

In order to collect such authTokens on a large scale an adversary, someone could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

Fixing the issue

What app developers can do:

- Android apps and synchronization services using ClientLogin should switch to https. In the newest Android release (2.3.4) this step was already taken for the Google Calendar and Contacts apps, but other apps need to follow. The Gallery app is developed by Cooliris who probably were not made aware of the issue. However, the Android security team told us that they are investigating the Gallery app as well. So hopefully a fix should be integrated in the next release.
- Google APIs offer more secure authentication services. Switching to oAuth for authentication would mitigate the authToken capture issue. Https should be used in addition to prevent synced data to be transmitted in the clear.

What Google/Android can do:

- The lifetime of an authToken should be drastically limited.
- Google services could reject ClientLogin based requests from insecure http connections to enforce use of https. Https is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs.
Automatically connecting to known Wifi-networks could be limited to protected networks. At least a respective option should be provided to users.

What Android users can do:

- Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
- Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
- Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
- The best protection at the moment is to avoid open Wifi networks at all when using affected apps.


Previous
Next
Sony Disables PlayStation Network Sign-in Due to New Security Loophole        All News        DROID X2 by Motorola Coming to Verizon Wireless
AMOLED Shipments Estimated to Grow Nearly Sixfold by 2015     Mobiles News      DROID X2 by Motorola Coming to Verizon Wireless

Get RSS feed Easy Print E-Mail this Message

Related News
Google's Pichai to Become Head of Product at Google: report
Google Is Teaming up with Oxford University on Artificial Intelligence
Google Unveils Inbox
Google Play Music App To Follow Your Mood
Login To Google Using A USB Security Key
Google Reports Strong Quarter Despite CPC Decline
Google Announces New Android Lollipop, Nexus 6 Smartphone, Nexus 9 Tablet And Nexus Player Streamer
Google Reveals Flaw in SSL Protocol
Google Expands Shopping Service
Google To Launch Nexus phone, Android L This Month
Apple and Google Each worth more than USD $100
Google Could Be Making Modular Monitors

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2014 - All rights reserved -
Privacy policy - Contact Us .