If you own a smartphone nowadays, it’s most likely running Android. The mobile OS’ market penetration is remarkable and is definitely a feather in a cap for the mind behind it at Google. Unfortunately, as we all know, software has flaws and it sometimes takes awhile for to show. Researchers in Germany have uncovered a flaw that poses a potential security threat for a majority of users.
Security researchers at the University of Ulm have discovered that phones that are currently running Android versions 2.3.3 and older are vulnerable to attacks via a weak ClientLogin authentication protocol. This is because every time we login to online services like Twitter or Facebook the authorization token information for that access is stored for 14 days on your phone. This can potentially be a source of a security leak.
How can this be done? Well, a potential hacker can just setup a wifi access point that resembles a local unencrypted wireless network – which are usually found in Starbucks or other public wifi spots. This is a problem because most Android phones automatically connect to a known network. This means that fake network could quite probably activate the automatic connection and syncing. This gives the intruder a chance at stealing those stored authorization tokens.
Why is this a big threat? Right now, most phones are still using Android 2.3.3. The latest version, Android 2.3.4, was released only a few weeks ago and not many have updated yet- and the security hole patch is in there. So better access your sites using only https sites for the moment.