While insanely popular around the globe, Android has never been without its problems. From fragmentation to security threats, Android’s massive growth has made it a target over other operating systems, and now there’s another way that user data can be taken from someone using a smartphone based on the OS. If you’re on an unsecured WiFi network on your Android phone, one could collect personal data about you.
Your contacts, calendar, and web albums can be stolen right from your handset by using the ClientLogin authentication protocol, if you’ve connected to an unsecured WiFi network. If your Android phone is set up to connect to open WiFi networks automatically, it will attempt to sync apps with Google services. The authentication token could then be intercepted, and could access, modify, or delete information from these services. The authToken can then be accessed for up to two weeks afterward.
So who’s most vulnerable to these sort of attacks, you ask? Well, practically everyone, as those running on Android 2.3.3 and below are the most vulnerable to attacks of this sort. This is because the connection uses HTTP and not HTTPS. Users on Android 2.3.4 have less to worry about, as the syncing connection does use HTTPS, with the exception of Picasa web albums.
However, Google and application developers can do a couple of things to fix this issue, or make it harder for those looking to steal this type of data. Android developers who use the ClientLogin authentication protocol can switch to the more secure authentication services, like oAuth. Google could also shorten the lifespan of authentication tokens, and reject auth-requests that are being sent over an unsecured connection. The report also suggests that users should update to the latest version of Android. Uh, duh.
The best solution at the moment is to avoid open WiFi networks when using the affected applications, but how many people will listen to that? It couldn’t hurt to make a physical backup of your contacts, just in case, but that negates the convenience of the cloud, doesn’t it?