Major security flaw found in Android phones

@CNNMoneyTech May 18, 2011: 12:27 PM ET
google-io-android.top.jpg

NEW YORK (CNNMoney) -- A significant security hole has been discovered in Google's Android operating system for smartphones, which can allow attackers to gain access to users' personal information without their permission.

The flaw, which was discovered by three research assistants at Ulm University in the southern part of Germany, affects approximately 97% of Android users.

In a recent blog post, the researchers found that users of Android devices running versions 2.3.3 and below could be susceptible to attack when they are connected to unencrypted Wi-Fi networks. Anyone else on that network could gain access to, modify or delete Android users' calendars, photos and contacts.

"It is quite easy," the researchers wrote in a blog post. "The implications of this vulnerability reach from disclosure to loss of personal information."

A spokesman for Google (GOOG, Fortune 500) said the company is aware of this issue, and a fix is already in place for the calendar and contacts applications in the latest versions of Android, codenamed "Gingerbread" and "Honeycomb." A solution is also in the works for Google's Picasa photo sharing service, he said.

Only about 3% of Android users have the latest versions of the operating system, but Google said Android users running older versions will get a fix "in the next few days." Users don't need to take any action, and the patch will roll out globally.

The security flaw stems from Google making use of unencrypted login protocol for the affected services. By using HTTP, rather than the more secure HTTPS, "an adversary can easily sniff the [login information]," according to the blog post.

The kind of attack that can be performed on Android devices over unencrypted Wi-Fi networks is similar to so-called "Sidejacking" attacks on Facebook or Twitter. For instance, Firesheep, a free Firefox extension that collects data broadcast over an unprotected Wi-Fi network, allows users to gain access to other people's Facebook accounts.

Though the researchers found that any unsecured application making use of an Android user's photos, contacts or calendars could be compromised, the data an attacker can gain access to is limited to those three groups. The security bug does not, for example, allow intruders to view a user's e-mails.

Google was able to fix the problem on its end by requiring an HTTPS connection for calendar and contacts synchronization. By solving the problem on its own servers, Google was able to get around a notoriously slow Android update process: after Google updates the code, manufacturing partners and carriers then manipulate the code for each device.

As a result, the vast majority of Android users are still running "Froyo," which launched in May 2010. A quarter of users are still on "Eclair," which came out all the way back in January of last year.

That means a patch for the security hole could have been months or years away for many Android users had Google not found a workaround.

In addition to switching to HTTPS, the researchers also suggested Google prevent Android devices from automatically remembering and logging onto unencrypted Wi-Fi networks. Google did not say whether it had taken any of those steps. To top of page

CNNMoney Sponsors

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.