Some 99% of the Android devices out there are vulnerable to a new potential risk that allows attacker to eavesdrop any transmitted information.
The attack utilises a similar process of the Firesheep desktop plugin, which could potentially allow attackers to hijack tokens(data) used to access calendars, contacts and a number of other services available within Google’s Android operating system.
Due to a weakness in how Google’s ClientLogin authentication protocol is implemented, authentication tokens are sent in cleartext once a user enters a valid username and password to access a particular service. The attack(in Android versions 2.3.3 & lower) affects almost all Google apps especially Gallery(Picasa), Calendar and Contacts besides third party apps such as Facebook and Twitter.
The good news is that Google is aware of the vulnerability and have patched the bug in its latest Android 2.3.4 firmware update, although some of its services, including Picasa, are still transmitting sensitive data via unencrypted channels, according to the researchers. Google confirmed and said that it is working on a fix.
To overcome this issue, developers that use ClientLogin are encouraged to immediately switch to https connections to secure data and begin utilising OAuth for authentication.
Android owners should upgrade to Android 2.3.4 as soon as it is possible to do so and in the mean time, avoid using any WiFi network that is open and not secure.
[Source]- Institute of Media Informatics
