Most Android Phones Open To Snooping, Report Says

Researchers have pointed out that a flaw in all but the most recent versions of Android leaves the vast majority of Android phones vulnerable to a snooping attack.

A report last week from researchers at Germany’s Ulm University found that Google authentication tokens are susceptible to interception in all but the Gingerbread and Honeycomb releases of Android. As a result, an attacker could easily gain access to a user’s private Google account information, such as calendar and contact information, if that phone is used on an open Wi-Fi network.

The issue here–and it is not unique to Google–is that when unencrypted information is sent over open networks, it is easily intercepted, says Lookout Mobile Security CTO Kevin Mahaffey.

“If you are mailing sensitive data in transparent envelopes, you should not be surprised people can look at (it),” Mahaffey said. Google is not the only one transmitting either such tokens or other important information “in the clear,” Mahaffey said. Much of the data transmitted from PCs and phones is still sent over unencrypted connections. However, Mahaffey said the time has come where services should be moving any potentially sensitive information over a secured connection.

Although such an approach might have been cost prohibitive back in the early days of the Internet, Mahaffey said it is now economically feasible for most services.

In Google’s case, sending the authentication tokens means that an attacker, even without one’s password, can access the account information for the life of the token–in this case around two weeks. Google changed its processes in the latest releases of Android, but the vast majority of users are running Froyo or older versions of the operating system.

Plus, unlike with a computer vulnerability, users don’t have a way to quickly update their phone’s software as new issues are discovered. Instead, updates to the operating system typically take months to get approved by the phone makers and carriers before becoming available to phone owners, if they are made available at all.

At Google’s I/O conference last week, the company outlined a new industry effort aimed at both speeding up software updates and ensuring that they are made available to users for at least 18 months after a device is introduced.

In the meantime, Mahaffey recommends that users try to avoid unsecured Wi-Fi connections altogether, or, if they are using such connections, that they turn off synchronization and be careful what other types of data they send.

For its part, Google says it is aware of the issue, has made some changes and is working on others.

“We’re aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we’re working on fixing it in Picasa,” Google said.