Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks. "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data …
I posted this very problem on android stackexchange before Christmas. It is terrible that nobody took this seriously - especially with the fuss about the Firesheep plugin for Firefox.
It took a bit of prompting from the tech media...
...but nice one Google, kudos. Not a lot of kudos, granted.
You'd think they'd know better
You'd think that a company like Google would know better than letting identification go through unencrypted channels (even a one-time token). Especially on a mobile device, which is deemed to connect through non-secure or even hostile networks. Calendar and contact ar not banking-site-grade things but still can be used to build further attacks, notably social engineering ones. Potentially not good.
Good that they fixed that one, and from the server side too, no problem from laggard network operators failing to release the upgrade to their clients.
It isn't a "one-time token". The tokens are valid up to a maximum of 14 days and are sent every time the relevant app is opened or synced. All this means is that Google didn't consider that contact and calendar data were important. They've obviously changed their minds now.
"They've obviously changed their minds now..."
I should coco and rightly so! Data protection act 1998 anyone?
The guidelines here are useful; http://www.ico.gov.uk/for_organisations/data_protection/security_measures.aspx ; in particular this little gem:
# Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
So a plain text authkey which doesn't expire for a fortnight but which is, potentially, "safeguarding" some pretty personal information, was a complete joke. Glad they fixed it... err... they really have fixed it though right?
A lot of fuss over...
Was this ever exploited? No.
Would this ever have been exploited? Probably not.
Amazing the amount of media sensationalism there is over this (the front page of The Metro - really?!), it almost makes you wonder if one big tech company might be spending money smearing another... nah - that would never happen!
unless you have an Orange branded phone
then you are unlikely to see any sort of update for a while, we are still waiting for 2.3.3!
Read it again
A) Cyanogenmod (other aftermarket firmwares are available)
B) It's a server side fix (refusing the HTTP connection makes handsets try HTTPS)
I guess we'll get this on O2 phones sometime in the next century then....
Learn to read
This is a server side fix so you'll get it immediately as it has nothing to do with O2, your phone or it's manufacturer.
The title is required, and must contain letters and/or digits.
Are they making this change server side or client side? I would presume this would be server side, as there are just too many variables to consider client side.
Paris, because there is no Google icon.
beedly boodly beep
"Are they making this change server side or client side?"
It's, er, right there in the article...
This is no fix
Unfortunately, whilst Google's change might protect against passive sniffers, it doesn't protect against a man-in-the-middle attack. This is easy to mount:
* Attacker inserts their own server pretending to be Google
* Fake server says that it can only do HTTP
* Phone happily connects to it
* Fake server opens a separate HTTPS connection to Google
* Fake server copies traffic back and forth, reading and/or modifying it as it goes
This can only be properly fixed client-side. The client code must not fallback to HTTP, and the client must validate the certificate of the server it's talking to.
Good against providers doing DPI
This is very good news, especially since Vodafone and KPN in the Netherlands have admitted to doing Deep Packet Inspection, which means that they could have your authentication token even when connecting over 3G.
Vodafone NL and KPN doing DPI?
I wonder what phorm that inspection takes?
I do look daft
Just read the email from Dan where he says to read the article again.
Mine's the one with my glasses in the pocket.
How could they NOT take this seriously?
INT WTF? They by default or via user-activated Wi-Fi usage set phones to help Google map out every known or unknown unique, detected Wi-Fi hotspot and had tables logging away on the phone. Now, we find -- and I've suspected all along -- that the calendar and contacts list could be exploited. I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up.
If one wants to think conspiratorially, this could EASILY and HANDILY serve the needs or desires of domestic intelligenc agencies of various countries. They could just hoover up the stuff and then build a portfolio, using, say, Visual Analytics-like apps, to monitor clusters of individuals and map them to associations and coincidental convergences and locations.
How could Google NOT know this. I think that one day we're going to find that Google is a increasingly compelled to become a tool manipulated by intelligence agencies, google-complying or not.
"I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up."
If you don't want to use Gmail, contacts, Google calendar, or in fact, *any* Google service, you don't have to! If you do, then you're outsourcing your privacy and security to them, you have the choice.
My Android is bent to my will, the only interaction it has with Google is the Gmail logon I created the first time I turned it on, just to enable the Market, with no personal details, linked to nothing else and not used.
That's the thing, whilst Google is almost as bad as Apple, but you have the options to not give them anything you don't want to.
They know who you are because you're in my contacts, linked by your phone number, and listed with your address and other email addresses.
There is no escape.
Cyanogen + sunny weather
#1 get a real firmware
#2 why the fuck do Linux users have to sync Android over the "cloud"? Got my own servers: if data leaks I'll blame myself but last thing I need is Apple-style nursery.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst