Security Vulnerability On Android

It seems that your Android device may not be so safe in terms of security. On top of being extremely open to cases of malware it now seems that according research done by the University of Ulm in Germany, about 99% of Android devices leak secret account credentials and are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on Google’s servers.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier. The process is when after a user submits their credentials for Google Calendar, Twitter, Facebook, or other accounts, the programming interface then retrieves an authentication token that is sent in cleartext. Now because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts instead.

This security hole was patched by Google with the release of Gingerbread 2.3.4 and very possibly with Honeycomb 3. If you recall Android’s fragmented distribution then you should be well aware of how many devices there are out there in the smartphone market that are running on Android but with versions 2.3 and in some cases even 2.2. If you are such a user then it is highly suggested that you upgrade your Android operating system to 2.3.4 as soon as possible.