Scary Smart Phone security - (insecurity)

0
Contribute by David

Android phones.

I use one, and likely most reading this use one.

iOS, RIM - (Blackberry) and WIN 7 Mobile users have far less to worry about.

Whether a Samsung, LG or another brand, Google phone OS is now the most widely used operating system for phones.

A story at Computerworld reveals scary details regarding the poor state of Android security for those using such phones. Dan Goodin reports



(Computerworld):
The weakness stems from the improper implementation of an
authentication
protocol known as ClientLogin ... researchers from Germany's
University of
Ulm said. ... The programming interface retrieves an
authentication token
that is sent in cleartext. ... Attackers can exploit them
to gain
unauthorized access to accounts.... Google patched the security hole
earlier
this month with the release of Android 2.3.4 ... this means more than 99
percent of Android-based handsets are vulnerable to the attacks ... similar
in
difficulty ... to so-called
sidejacking exploits
that steal authentication cookies.


Also -

...We wanted
to know if it is really possible to launch an impersonation attack against
Google services. ... The short answer is: Yes ... and it is quite easy to
do....The adversary can gain full access to the ... Google user's ... calendar,
contacts information, or private web albums. ... Not limited to items currently
being synced but affects all items of that user. ... The authToken is not bound
to any session or device ... the adversary can subsequently use the captured
authToken to access any personal data. ... authTokens were valid for several
days ... which enables adversaries to comfortably capture and make use of tokens
at different times and locations.

With 99% of Android phones
vuneralbe to attacks when using public WiFi networks the first thing one should
do is stop using unsecured public WiFi networks. Coffeeshops, and similar places
offer free WiFi and the truth is most netbooks and laptops computers are more
secure on a public access WiFi point than an Android phone.


Google is working to
solve this issue, its called Gingerbread.



A Google representative confirmed that the latest
version of Android, 2.3.4 for smart phones, and 3.0 for
tablets does not have the problem. "We're aware of this issue, have already fixed it for calendar and contacts in
the latest versions of Android, and we're working on fixing it in Picasa," he
said in an e-mail statement. Read more:
http://news.cnet.com/8301-27080_3-20063646-245.html#ixzz1MhYtYoR1

We tested this attack with Android versions 2.1
(Nexus One), 2.2 (HTC Desire,
Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services)," the report said. Read more: http://news.cnet.com/8301-27080_3-20063646-245.html#ixzz1MhZIew7V


Here is what you can do to be more secure.

Users should update to Android 2.3.4 as soon as possible.Read more: http://news.cnet.com/8301-27080_3-20063646-245.html#ixzz1MhZZjA1A.

SINGTEL, Starhub and M1 should push Android 2.3.4 out to their clients soon. As soon as one sees the option do this update, act quickly and do the update!

0 comments: