back to article 99% of Android phones leak secret account credentials

The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned. The weakness stems from the improper …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Hm, I was about to rip Samsung a new one in a comment.

...then I did some googling and found this: http://reviews.cnet.com/8301-19736_7-20063177-251.html

Fuck me, Samsung? Actually providing an updated firmware?

I won't believe it until I see it.

0
1
Silver badge
Happy

Nexus S upgraded itself last week.

Verizon/AT&T = All your bucks belong us.

3
1
Silver badge
Boffin

I regularly get updates from Samsung

There's one downloading for my Galaxy S2 even as I type, and roll-out of Gingerbread for the Tab is about to start, I'm told.

GJC

1
0

Samsung is the last brand to buy

I got a lot of Samsung stuff here down to fridge and let me say something: Do NOT buy anything Samsung until they act like a real big brand. I don't talk about sales/hardware specs, I speak about a company who can have english typos (yes, typo) on their pages.

Ask their Symbian users how they got abandoned without any reason and how firmware hackers, actually engineering for free creates miracles.

4
2
Silver badge

Re: I regularly get updates from Samsung

I went ahead and installed Kies specifically because of this article. And Geoff Campbell, I'm well aware of Gingerbread ALLEGEDLY about to be rolled out since I did just post the link about it up there.

My Kies information:

Current firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)

Latest firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)

So no, Samsung do not update regularly, and never have. That is unless I bought a Tab that's been sitting in the warehouse for however-long with the latest firmware somehow magicked onto it. Their Android update support is infamously crap, hence my utter surprise at this latest announcement.

Also is it just me, or is Kies an awful, slow POS that makes iTunes seem almost slim?

2
0
Boffin

On the wifi point

I personally make sure to 'forget' networks that I don't personally have any control over.

I would also note that my phone* will actually not remember networks with common names (seen this happen with an AP named 'NETGEAR') to prevent you accidentally trying to connect to any old AP.

* Not android.

1
0
Anonymous Coward

So you never go to Starbucks or use any public Wifi then?

as title

2
3
Jobs Horns

Never heard of 3G?

I can understand those that want to look chic having a coffee and browsing their iTard 4.fail - but for the sake of checking emails or facebook on the go I can't see the point - after faffing and connecting to it 3G would have updated it anyway.

Anon so the fanbois don't lynch mob me! I have an iPhone, but hopefully for not much longer....

4
4

@AC 23:22

Do you light up while filling your car with petrol or add RAM to your PC while it's still running?

"Yay! Free wi-fi! Aww! I got pWn3d!" No thanks.

Good article though :-)

2
2
FAIL

Fail

>>> So you never go to Starbucks or use any public Wifi then?

Reading comprehension fail.

1
1
Grenade

So you all can say

You've never used a public Wifi network, even when abroad, at a airport, hotel, conference, cybercafe... I guess you always go and buy local SIMs with generous data plans even in countries that don't sell them?

You wouldn't get pwned if Google encrypted this information as they should. Don't blame public wifi for this problem.

4
1
Troll

@Metavisor: Caution over "free" wi-fi =/= exoneration of Google

Who blamed this problem on public wi-fi? That was a little party going on in your own head alone it seems. The point was simply that free public wi-fi is often completely unsecured.

As an Android user whose network hasn't deigned to put out Gingerbread 2.3.4 for my handset it does concern me that Google has been sloppy with security for earlier incarnations of Android. Us geeks can make a judgement about the risks of connecting to insecure wi-fi (again, that was implicit in my point) whereas most lay Android users will take the view: "Yay! Free wi-fi!"

3
5
Anonymous Coward

Who?

Well AC 08:39 did.

You as well, but in disguise. Who hasn't been abroad with their smartphones and said "Yay! Free wi-fi!", get real.

Now I know not to use certain services over untrusted Wifi, but apparently Android will go right ahead and sync my calendar and contacts with insecure authentication tokens as soon as it connects.

3
2
PJI
WTF?

What has your incompetence with an iPhone got to do with an Android problem?

Do tell, do.

2
2
Bronze badge
Unhappy

cyanogen

Aftermarket firmware is the only way to get upgrades in a timely fashion.

Carriers don't care - you're already paying

Manufacturers don't care - they want to sell you a new phone

11
0
Happy

Don't be sad

CyanogenMod rocks.

1
0
Anonymous Coward

No problem

The users can just patch their source code and reinstall. What were the commands again?

Found it:

mkdir android ; cd android ; repo init -u git://android.git.kernel.org/platform/manifest.git ; repo sync ; make

Does that go into the new Google Docs app or should I send it as a txt?

8
4
Silver badge

Fortunately...

...the only people who've ever seen that line of terminal gunk are likely people who know more-or-less what it means.

5
4
Silver badge
Pint

The clash of Geek and User!

You have to remember that while you may remember all that or even do that kind of thing day-in day-out, most people want a phone to work like their car, TV or fridge. Switch it on and use it as per manual, they do not want an appliance to have to require 6 weeks of evening college to understand.

The last time my dishwasher conk out I didn't bother getting the Zanussi service manual and pulling the back, I was paying for extended warranty so I called up whomever it was I paid, told them the problem and they sent a bloke out within 4 hours to fix it, job done. Same with PCs, phones, cable TV recievers, fridge, cars, a lot of us have other priorities in our lives so we pay for the convenience of someone else to fix stuff when it's broke. It may be odd to some, but that's the way life works today.

6
0

command prompt of %99.9 owners said...

mkdir: command not found.

Seriously, who you think Android users are and who will be hit with such issues?

0
6
Unhappy

Pomposity rules OK

Even most Linux users who claim to be technical never go beyond point and click.

You forgot about back-up, reboot, make depend .... But then, by the snide attitude and complete ignorance of the vast majority of mobile telephone usage, I take it that your UNIX knowledge is just as thin, wonderful as your ability with a search engine may be.

Oh, and you must have "jail-broken" your mobile. Last time I looked, HTC, for instance, did not have a supplied terminal emulator as standard (last week) and a colleague's Samsung has got one installed, but no access to any useful shell commands. (I know, I'm a UNIX fanboy: to me UNIX is a command line/shell driven system on which I can do real development or write natty scripts in ksh, perl or python or awk or ... to make life easy).

So drop the pomposity and know the difference between a telephone (even a "smart" one) and a computer (in the sense of a device into which one logs in and runs a choice of programmes, operating system etc.). A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; It should be simple to use with no apparent user maintenance, any more than the long established land lines or basic mobiles such as those supplied for years by Nokia and other suppliers.

7
2
Anonymous Coward

OK rules pomposity

"A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; it should be simple to use with no apparent user maintenance"

s/mobile/computer/

s/telephone/computer/

Are they really that different? Not according to your definition. Dig deeper.

You're also deluded about Nokia, I had to take quite a few to the service centre for updates because they would crash, go mad, lose contacts, etc - this was before remote updates came about, which just meant you had to do more updates but now at least you could do them at home.

I call that a lot of user maintenance, not unlike computers actually.

1
1

hehe

Android? good luck with that.

From a very happy WP7 user

1
6
Anonymous Coward

@One of the 3, maybe 4 tops, real WP7 users in AC clothing

"From a very happy WP7 user"

Famous last words

6
1
FAIL

Irony

"Does that go into the new Google Docs app or should I send it as a txt?"

Did y'all miss that bit?

2
0
Anonymous Coward

Manual?

They don't read no stinking manuals, they just switch it on and call support if it doesn't light up. Chimps.... no.. I take that back... chimps can be trained.

1
2

One thing they don't get

Android isn't some nerd's garage invention, it is the market leader and it has a very precious thing: google account credentials.

So it targets general public, not Debian owners who doesn't even need X11 installed. That -was- Neo phone which failed (thanks to hypocrisity of FSF fanatics) miserably.

Checking my posts "thumbs down", they also have unhealthy community of fanatics too. All I said was reminding the fact that it is a general public device and if Google doesn't knock these idiot vendors door soon, some catastrophe is waiting to happen.

You CAN'T deny security updates in 2011, that is also some trainwreck scandal waiting for Apple too (3G iPhone). If it happens, everyone will hear it and governments and carriers will really be pissed off with it. I don't say "free major updates", I say same major version+security update. No new features, just make sure your customer doesn't lose all their real life money.

0
0
Coat

quality not quantity

Android will step on a Mango fruit in September and will get a big dent on its head! From the still very happy WP7 user (Hope all android users are very happy running their antivirus).

0
4
Anonymous Coward

2-step verification

So from what I understand this also affects those of us using the supposedly more secure 2-step verification authentication, for apps that use an application specific password - which lets be honest are all of them?

Why did I even bother turning it on and jumping through the all the hoops of using it.... setting up was a mess, apparently they haven't gotten around to support it well in Android, and now this.

Well done Google, authentication tokens over plain HTTP, top marks for stupidity. Can't even imagine what's in that Honeycomb source code now, if even they admit to having made "shortcuts".

6
0
Anonymous Coward

No no no

It's all a smear campaign, can't you see? Smear smear smear. There is no issue here, passwords have been sent plaintext for ages without any problem whatsoever. Plain text auth tokens are just like plaintext passwords 2.0. Super cool. (anything else is a smear)

We even had our streetcars drive around collecting unencrypted Wifi packets to study in depth how this is such a non-issue.. Out of millions of networks we only collected hundreds of thousands of passwords, it's a whole order of magnitude less, so no worries. Did we say smear yet?

The real story is some very evil PR company paid for by ( Microsoft | Apple | Facebook | Vatican| Scientology| Aliens) asked some very naughty professors to claim this was an actual issue. Can you believe it? Now is that evil or what! Bad bad professors.That is the real problem, not this password thing which is so good it tastes like strawberry. Smear.

Hey look behind you, is that a giant ice cream sandwich? Yummy, all smeared in chocolate.

ps: If any of the professors is reading this remember when we said location data from Android phones was stored with a hashed version of an anonymous token, which is deleted after approximately one week? Well turns out the hash is pretty unique, the "approximately" is exactly just that and the anonymous, well.. >:-> Don't call us, we'll be in touch.

14
10
Happy

*titter*

Nuff sed.

1
0

Aye, here be aggregators

The beauty of modern corporate fuck-ups is how well they scale. This wouldn't be possible in technologically inferior societies, so quit crying about every little bitty breach of 100 million or so.

Yay for progress!

This message brought to you by the Luddite Hammer Company.

2
0
Coat

Aha, some ammunition for my upgrade gun

Take that vodafone, pow pow

4
0
Bronze badge
Thumb Down

Man in the middle attack.

Um....

and this is different to any other man in the middle attack how??

Bottom line is regardless of what device you use to access the internet - unsecured wireless hotspots are ALWAYS a danger!

How many people do you think update their facebook over free WiFi?

How many of those people do you think even know that facebook provides a https option if you turn it on in your account?

I would be willing to bet that 90% of people using facebook over an unsecure wireless network are doing so with using https.

3
2
Anonymous Coward

Wrong assumptions

If you use Farcebook you don't really expect any security do you? All it takes is one of your "friends" account to be hacked and your info's spammer (or worse) fodder.

However I'd think users of Google's Calendar or contacts would expect a bit more.

I don't personally use Calendar but now quite a few people who manage their lives around it. I don't think they'd be happy sharing that with strangers in foreign places (where there's no real option than to use local public Wifi)

0
0

no

"I would be willing to bet that 90% of people using facebook over an unsecure wireless network are doing so with using https."

I would take that bet, and then your money. 90% of people that use facebook would probably stare at you like a confused puppy at the very mention of https.

3
0
Anonymous Coward

And

"I would take that bet, and then your money. 90% of people that use facebook would probably stare at you like a confused puppy at the very mention of https."

And quite possibly with the fact their phones can use Wifi instead of umm, the magic they currently use.

0
0

Inaccurate article title?

"99% of Android phones leak secret account credentials"

I don't think any *credentials* are being leaked here. It seems that the cached plaintext 'auth successful' file. Sure this would allow attackers to automatically gain authentication with services - but it doesn't appear that it actually leaks the account credentials themselves (passwords, usernames, etc).

Concerning, nonetheless.

4
2
Silver badge
FAIL

Re: Inaccurate article title

In crypto, a credential is a token or set of tokens that grant access. It doesn't necessarily mean a username and password, which is one sort of credential, it can quite easily mean a temporary token which can be used to access an authenticated service.

4
0
Pint

Credentials and all that

Indeed. Had a further chat with the author and I can see your point. I think I do still draw a line between 'leaking a temporary token' and 'leaking a username and password that can be used anytime, anywhere' (until they get changed, of course). Most passwords online do not expire and it's only through intelligent security processes that you'll ever see a password get changed... not something that's done often. A temporary token though? It expires. While it's active sure, the attacker can abuse it for all its worth, but once it has expired they need to hunt down a new one.

0
0
Silver badge
Go

Fair game but misleading.

I stongly dislike Google's tentacular approach to user data as much as (and maybe more than) everyone; however the headline is plain silly.

99% apps are rejected from the app store -because face it, noone knows the rules

99% of windows computers are part of a botnet -because any one of them might be at some point

99% of linux boxen are utterly unusable -because who hasn't encountered a kernel crash

99% of phone conversations are recorded by USA spooks -can you prove me wrong?

99% of computer parts are faulty - well they will fail at some point won't they?

99% of car drivers to die in a collision with a firetruck -well, it has happened before, it can happen again.

99% of articles having "99%" in their headline are either junk or going for the easy attention-grab trick -no comment.

But again, that's why I read El Reg!

4
3
Anonymous Coward

How is it misleading?

The title says 99% *leak information*, which is true.

It's not something that may happen or happened once in the past, it's something that does happen every time they're on Wifi (and btw, even if you encrypt with WEP or even WPA - the latter under certain conditions - these have been easily hacked)

1
2
Silver badge

@ metavisor

"The title says 99% *leak information*, which is true." Erm, no its not?

Some models/versions (probably most) are vulnerable to a man-in-the-middle impersonnation attack when authenticating through unsecured connection. Which means, it's only slightly *more* secure than your average unsecured authentication (only a "one-time" token can be stolen, not your actual permanent credentials). That's not exactly "leaking information" in the sense that most people would understand. As for the 99% figure, it's simply pulled out of thin air.

I'm not saying that there's not an issue here, I'm just saying that the title makes it bigger than it actually is. That said, if I didn't like my tech story with a bit of added spice I wouldn't read El Reg.

0
0
Anonymous Coward

@UUCP mail user ElReg!comments!Pierre

I think you didn't read the actual article (not this summary, the actual research one)

There no difference in vulnerability here, if the phone is running anything lower than Gingerbread 2.3.3 it'll be sending plain text authentication tokens to Google for the Calendar, Contact and Picasa sync.

The 99% number is the percentage of Android devices that are not on 2.3.3 yet. All those devices are doing this.

H

0
0
Silver badge

What the heck?

A single-use token can be intercepted when using non-encrypted connexion (that's what you call "plain text" I presume; I'd say it's hardly text, but yes, it's unencrypted. That's the whole problem with unencrypted connections).

That's "leaking information" as in my "99% of computer are faulty" above. Normal people call it "vulnerability to a man-in-the-middle attack". And not the most serious kind either (not that it's not serious; it could just be worst). It is a LOT less dangerous than transmitting your actual username and password, for example, as here all the man-in-the-middle attacker can do is log in in the very service that token was issued for (no credential re-use issue as "ho shit I use the same password for iCalendar and for banking"), and for 14 days "only". Still serious enough, especially on mobile devices which can be expected to connect through insecure networks.

And again, it's not a spontaneous data leak, it's vulnerability to a man-in-the-middle attack (although the title was changed since I posted my first comment; it is less misleading now).

As for the 99%, my objection was that it's assuming that all owners of an "old" Android device are using it to authenticate via unencrypted connections through unsecured networks where there happens to be someone logging that particular type of tokens and using it to implement the attack. It takes all that for any information to actually leak. So I doubt the actual figure is 99%.

I don't say that the title is absolutely completely false, I just say that it's not absolutely true either. That's why I said "misleading". But I don't have any particular problem with that, especially not on El Reg.

0
0

Are Orange and other suppliers now compromising their customers

OK, supposing that the Android system is compromised and that this isn't a M$ smear campaign.

My HTC phone is branded by Orange and still has Android 2.2 because Orange's updates are always way behind the real release. I can't load vanilla Android without voiding my warranty so Orange are now putting all of their customers at risk by not supplying an update.

My question is this: If there is a real security threat, do Orange now have the right to require all of its users to stick with their "version" of the OS on the phones they supply?

1
0

Is this issue really restricted to Android?

It sounds very much like the same issue that Firesheep was getting at, unsecured authentication tokens on unsecured networks. Yes, I would expect better from Google services, but surely this problem happens on any device that connects to insecure networks.

1
1
Anonymous Coward

Not just Android

All rubbish devices and services do, all good ones however use encryption.

1
1
Coat

Oh. I see - the problem concerns Google services

So even if I had an Android phone (which to be honest I have been considering), there would be nothing to worry about as I am not stupid enough to use their services or tell them who I am.

0
1

as far as I heard

Android is so tied to Google services that on some devices, deleting your gmail account may wipe the entire device.

I mean if you don't like Google's stance on prlvacy etc, just don't buy a device with Google OS. Not saying "buy that instead", I am in similar situation and may end up with a small netbook+dumb phone.

1
0

Page:

This topic is closed for new posts.

Forums