Google fixing Android security flaw
Google Inc. is updating its Android operating system to fix a security flaw that is believed to have left millions of smartphones and tablets vulnerable to personal data leaks.
The flaw “could, under certain circumstances, allow a third party access to data available in calendar and contacts,” a Google spokesman said in a statement. “This fix requires no action from users and will roll out globally over the next few days.”
The fix is being issued for each version of Android released, and phones and tablets began automatically getting the updates Wednesday, according to a person who spoke on condition of anonymity because the person was not authorized to speak about the software update.
The Mountain View, Calif., tech giant hasn’t found any instances of hackers taking advantage of the flaw to steal personal data, the person said, adding that Google hadn’t known of the potential for such an exploitation until Germany’s University of Ulm issued a report on the security hole.
“The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” Ulm researchers Bastian Könings, Jens Nickels and Florian Schaub wrote in their report.
“For contact information, private information of others is also affected, potentially including phone numbers, home addresses and email addresses.”
The vulnerability in Android was first pointed out by Rice University professor Dan Wallach in February, and the University of Ulm researchers investigated it further.
“Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing,” the Ulm researchers said. “For example, an adversary could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
The flaw affected 99.7% of all Android smartphones and was not limited to Google Calendar and Contacts, “but is theoretically feasible with all Google services,” the University of Ulm said.
Among the weaknesses mentioned in the report was ClientLogin, Android’s system to authenticate apps.
“Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection,” the report said.
If the authToken is sent over an unsecured wireless network, “an adversary can easily sniff the authToken” and use it to access personal data available to installed apps.
“For instance, the adversary can gain full access to the calendar, contacts information or private Web albums of the respective Google user,” the Ulm researchers said. “This means that the adversary can view, modify or delete any contacts, calendar events or private pictures. This is not limited to items currently being synced but affects all items of that user.”
The tactic “is very similar to stealing session cookies of websites” or sidejacking, which is a popular attack among hackers breaking in to Facebook or Twitter accounts over unsecured wireless networks.
