Android, HTTP and authentication tokens

Published: 2011-05-18
Last Updated: 2011-05-18 08:21:53 UTC
by Bojan Zdrnja (Version: 1)
8 comment(s)

A few days ago, a group of researchers from the University of Ulm in Germany published details about a security “vulnerability” in Android operating systems version 2.3.3 or lower. This is not really a vulnerability but the way that Android apps use the ClientLogin authentication protocol in order to access various Google’s services.

As you can probably guess by now – the problem here is that ClientLogin sends authentication data over plain text HTTP connections. The Authorization: header, which is used (as the name implies) for authorization is sent as part of a GET request in plain text so any attacker who can see this traffic can easily extract this header and impersonate the victim. Depending on what you use, the token can give the attacker access to the Calendar and Contact Google applications. What’s even worse, the token is valid for 14 (!!!) days, so once it has been acquired by the attacker it can be easily used in the future.

This issue is not limited only to Android – any other application that uses the ClientLogin protocol over plain text HTTP is subject to similar attacks, however since Android is so wide spread it looks as the most critical target for a potential attacker.

How could an attacker exploit this? First of all, if you are connecting with your Android on any open wireless networks (i.e. Starbucks or similar), the attacker can easily sniff your traffic and collect all authentication tokens. Similarly, the attacker could setup a fake access point with a familiar name to get victims to connect to it – if the attacker is just forwarding traffic (and extracting authentication tokens), the victim will never even know what happens. Finally, attacks such as ARP poisoning are possible even on encrypted wireless networks (if the attacker can connect to it).

What can you do? If possible, update Android to at least version 2.3.4 on your phones since that version uses HTTPS for authentication. In today’s world, there is absolutely no reason not to use SSL to encrypt everything.

--
Bojan
INFIGO IS

8 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives