Major security flaw found in Android phones

@CNNMoneyTech May 18, 2011: 12:27 PM ET
google-io-android.top.jpg

NEW YORK (CNNMoney) -- A significant security hole has been discovered in Google's Android operating system for smartphones, which can allow attackers to gain access to users' personal information without their permission.

The flaw, which was discovered by three research assistants at Ulm University in the southern part of Germany, affects approximately 97% of Android users.

In a recent blog post, the researchers found that users of Android devices running versions 2.3.3 and below could be susceptible to attack when they are connected to unencrypted Wi-Fi networks. Anyone else on that network could gain access to, modify or delete Android users' calendars, photos and contacts.

"It is quite easy," the researchers wrote in a blog post. "The implications of this vulnerability reach from disclosure to loss of personal information."

A spokesman for Google (GOOG, Fortune 500) said the company is aware of this issue, and a fix is already in place for the calendar and contacts applications in the latest versions of Android, codenamed "Gingerbread" and "Honeycomb." A solution is also in the works for Google's Picasa photo sharing service, he said.

Only about 3% of Android users have the latest versions of the operating system, but Google said Android users running older versions will get a fix "in the next few days." Users don't need to take any action, and the patch will roll out globally.

The security flaw stems from Google making use of unencrypted login protocol for the affected services. By using HTTP, rather than the more secure HTTPS, "an adversary can easily sniff the [login information]," according to the blog post.

The kind of attack that can be performed on Android devices over unencrypted Wi-Fi networks is similar to so-called "Sidejacking" attacks on Facebook or Twitter. For instance, Firesheep, a free Firefox extension that collects data broadcast over an unprotected Wi-Fi network, allows users to gain access to other people's Facebook accounts.

Though the researchers found that any unsecured application making use of an Android user's photos, contacts or calendars could be compromised, the data an attacker can gain access to is limited to those three groups. The security bug does not, for example, allow intruders to view a user's e-mails.

Google was able to fix the problem on its end by requiring an HTTPS connection for calendar and contacts synchronization. By solving the problem on its own servers, Google was able to get around a notoriously slow Android update process: after Google updates the code, manufacturing partners and carriers then manipulate the code for each device.

As a result, the vast majority of Android users are still running "Froyo," which launched in May 2010. A quarter of users are still on "Eclair," which came out all the way back in January of last year.

That means a patch for the security hole could have been months or years away for many Android users had Google not found a workaround.

In addition to switching to HTTPS, the researchers also suggested Google prevent Android devices from automatically remembering and logging onto unencrypted Wi-Fi networks. Google did not say whether it had taken any of those steps. To top of page

CNNMoney Sponsors
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.