Android, HTTP and authentication tokens
A few days ago, a group of researchers from the University of Ulm in Germany published details about a security “vulnerability” in Android operating systems version 2.3.3 or lower. This is not really a vulnerability but the way that Android apps use the ClientLogin authentication protocol in order to access various Google’s services.
As you can probably guess by now – the problem here is that ClientLogin sends authentication data over plain text HTTP connections. The Authorization: header, which is used (as the name implies) for authorization is sent as part of a GET request in plain text so any attacker who can see this traffic can easily extract this header and impersonate the victim. Depending on what you use, the token can give the attacker access to the Calendar and Contact Google applications. What’s even worse, the token is valid for 14 (!!!) days, so once it has been acquired by the attacker it can be easily used in the future.
This issue is not limited only to Android – any other application that uses the ClientLogin protocol over plain text HTTP is subject to similar attacks, however since Android is so wide spread it looks as the most critical target for a potential attacker.
How could an attacker exploit this? First of all, if you are connecting with your Android on any open wireless networks (i.e. Starbucks or similar), the attacker can easily sniff your traffic and collect all authentication tokens. Similarly, the attacker could setup a fake access point with a familiar name to get victims to connect to it – if the attacker is just forwarding traffic (and extracting authentication tokens), the victim will never even know what happens. Finally, attacks such as ARP poisoning are possible even on encrypted wireless networks (if the attacker can connect to it).
What can you do? If possible, update Android to at least version 2.3.4 on your phones since that version uses HTTPS for authentication. In today’s world, there is absolutely no reason not to use SSL to encrypt everything.
--
Bojan
INFIGO IS
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
william
May 18th 2011
1 decade ago
Val
May 18th 2011
1 decade ago
However, mine is rooted and hers is not.
I'm stuck at Android 2.1 for some reason (it won't discover updates for the OS, I am guessing a side effect of rooting it) and wife is on 2.2.1. That is the latest and greatest from Verizon.
The processors on these phones are pretty puny (Flash? forget about it), so I don't know if we'll get future updates to 2.3 at all.
And we've got at least another year on our contracts.
We're hosed then. Good thing the wife doesn't use the WiFi on hers at all and I only connect to my home network with mine. At least that will make exploiting it harder.
We've only got 3G, but that's good enough for most activity. It certainly isn't worth it to connect to strange WiFi unprotected.
Jason
May 18th 2011
1 decade ago
John Hardin
May 18th 2011
1 decade ago
william
May 18th 2011
1 decade ago
Rusty
May 18th 2011
1 decade ago
hxxp://news.cnet.com/8301-27080_3-20064011-245.html
dotBATman
May 19th 2011
1 decade ago
When MS finally built out Windows Update, we got past waiting for the middlemen. Something similar has to happen for smart phones. At least Google is closer to this. In the meantime, I suggest, if you are inclined, to check out www.xda-developers.com Originally a Windows Mobile expertise site, they have jumped on Android as well. Updates and fixes often appear there before they get support distribution.
Dave
May 19th 2011
1 decade ago