x PhoneArena is looking for new authors! To view all available positions, click here.
  • Home
  • News
  • Study finds 99.7% of Android phones prone to ‘impersonation attacks’

Study finds 99.7% of Android phones prone to ‘impersonation attacks’

Posted: , by Victor H.

Tags:

Study finds 99.7% of Android phones prone to ‘impersonation attacks’
Android might look like a safe system, but researchers from the German University of Ulm have discovered that using it on an open Wi-Fi network, leaves a hole open for impersonation attacks. Which devices are prone to the attack? 99.7% of Androids, or pretty much every device except for the few ones running on Android 2.3.4. The researchers summed up their finding about whether it’s possible to launch an attack against Google services:

Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

It’s the unencrypted http protocol used by the ClientLogin that allows for the user’s password and username to be easily sniffed. The scale of this is pretty big as the researchers further explain:

“For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.”

Luckily, it seems that the secure https protocol has been implemented for the calendar and contacts authentication in Android 2.3.4, but pictures synced through Picasa could still be a subject to the attack. To minimize the chance of having your data stolen, you could avoid using public open Wi-Fi networks or turn off automatic syncing from the Settings menu in your Android device. Hopefully, Google will release a fix for the issue now as the research has been published, but in the meantime let us know your opinion. Is that a serious issue for you?

source: University of Ulm via TheNextWeb

44 Comments
  • Options
    Close




posted on 17 May 2011, 07:17 2

1. remixfa (Posts: 14178; Member since: 19 Dec 2008)


so.. he can look at my contacts and view my pictures. the horror! As long as he cant use it to get my banking info from other apps, not a big deal.

posted on 18 May 2011, 11:38 1

43. Lucas777 (Posts: 2137; Member since: 06 Jan 2011)


did u really just try and make a security breach sound good? cause if this happened to iphone (which they are not stupid enough to do) it would be the next watergate...

posted on 17 May 2011, 08:41 2

2. Droid_X_Doug (Posts: 5955; Member since: 22 Dec 2010)


The best approach is an ounce of prevention - don't use public WiFi for anything you wouldn't be comfortable posting on the Internets for the rest of the world to see.

Now that a security hole has been identified, I wonder what the response of the handset manufacturers will be. Will they be releasing a patch that closes the vulnerability for existing handsets? Or, will they require purchasing a new handset?

posted on 17 May 2011, 08:54 4

3. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


*Rolls eyes* amount of time I spend on public wifi with my phone: practically zero.

Sounds like the fix is already in place in 2.3.4. If Google fixes it for older versions, awesome. But this sounds like more anti Android fear mongering.

posted on 17 May 2011, 11:03 3

8. taco50 (banned) (Posts: 5506; Member since: 08 Oct 2009)


Yes how dare phonearena report something that's negative about android. Hopeless fanboy

posted on 17 May 2011, 12:22 6

16. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


It's an issue, but much less threatening and ominous than Phonearena is making it sound. Why are you even here commenting on an Android article? Don't you bitch when we show up on your Apple articles?

If you're allowed to BS about anything negative related to Apple, I'm allowed to call BS about this stupid fear mongering.

posted on 17 May 2011, 12:44 3

19. SomeGuy (unregistered)


First off, Phone Arena didn't make this up. "source: University of Ulm via TheNextWeb"

Another thing, it gets old when there are rumor articles about the new iPhone, or an article about Apple's profitability and then it becomes an Android vs. iOS debate.

It's like this:
PA: Apple's profitability is the highest its ever been...
Fandroid: ANDROIDZ HAS DA FLASH!
ME: WTH does this have to do with anything in this article?

posted on 17 May 2011, 12:45 8

20. SomeGuy (unregistered)


I gotta say, though, that this taco50 guy is pretty annoying/ignorant.

posted on 17 May 2011, 13:29 2

21. taco50 (banned) (Posts: 5506; Member since: 08 Oct 2009)


I'm actually not commenting on the article. I was commenting on your dumb fanboy post. Reading comprehension is needed to reply intelligently.

posted on 17 May 2011, 23:52

34. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


You are in the comments section on this article. You fail.

posted on 18 May 2011, 11:37

42. Lucas777 (Posts: 2137; Member since: 06 Jan 2011)


obviously he put it as a response and not a new comment...

posted on 17 May 2011, 12:05 4

13. SomeGuy (unregistered)


You're right. Nobody uses public Wi-Fi, and everyone has 2.3.4 running on their phone.

I'm sure Apple is behind this report... Steve Jobs I think. *peeks out window*

posted on 17 May 2011, 09:03 2

4. watash (Posts: 1; Member since: 17 May 2011)


I kept receiving ads from a relative for sexual stimulants. After a series of these I asked why he was sending them. He said that HE was not sending them. You see, his nice "open", Android OS WAS open to his address book being hacked at the root and that information forwarded to a Canadian distributor who pushes cut-rate Viagra and similar products.

The big problem is that he kept his Church registry of some 300 members stored on his Android OS phone. Yes, you guessed it; most of them received the cut-rate sexual stimulant advertisements.

He eventually destroyed the phone and moved to a smartphone that has a "closed" OS..

posted on 17 May 2011, 09:26 5

5. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


he sure got it from android? because I get Viagra email from people with IOS, BB ad even with no phones at all, Facebook is being hacked and abused of, Hotmail is being hacked and abused of, GMAIL is being hacked and abused of, even PlayStation network got hacked with GOD knows what sensible info, and most of them have all your contacts their phones and emails with them, and it seems prevention and caution from the user is the only solution. also he could have sold the phone and got some money out of it instead of breaking it... just saying

posted on 17 May 2011, 09:44 5

7. Benny (unregistered)


I believe your level of technical knowledge to be practcally nill... Your relative never needed to destroy a phone, just understand it enough to reduce or eliminate the risk of data becoming compromised. Closed doesn't mean safer, just less choices for content and functionality on the device. Who wants to have to plug into a computer just to get ne media??? Come on, that is the past.

posted on 17 May 2011, 12:03

12. SomeGuy (unregistered)


Pretty sure you can download music, games, movies, and everything else straight to an iDevice.

posted on 17 May 2011, 11:37 4

9. cadet (unregistered)


let me guess, you own an iPhone?

posted on 17 May 2011, 09:28

6. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


another reason to stick with my unlimited 3G plan and my mifi

posted on 17 May 2011, 11:38 2

10. TheFunnyMan (Posts: 77; Member since: 26 Jan 2011)


Android is open source.....meaning that anyone and everyone can get access to the source coding for the OS. If you use a public network wifi, with no firewall or stopper on your system, you deserve to be hacked.

posted on 17 May 2011, 12:13 7

14. remixfa (Posts: 14178; Member since: 19 Dec 2008)


thats actually NOT what android open source means.. but hey, if ur an idiot, keep thinking that. :)

posted on 17 May 2011, 12:23 7

17. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


Thank you. I don't know why idiots like him keep believing that.

posted on 17 May 2011, 11:47 1

11. iami (unregistered)


So seriously what program would i need to download to be able to do this. There are some hot chicks at my school id love to see what saved on the phones lol.

posted on 17 May 2011, 12:41

18. Steve Jobs (unregistered)


Yeah, and you can use the amazon player for music that is one their cloud storage...so what is that guys point?

posted on 17 May 2011, 13:32 2

22. 530gemini (Posts: 2198; Member since: 09 Sep 2010)


Wow, after reading the comments from android users on here, they're actually very understanding and kind and forgiving and lenient users. Oh wait, this is about android devices' vulnerability to hackers, lol

I wonder how understanding, kind, and lenient they would be if this is about the iphone? Hahahahahaha.

posted on 17 May 2011, 15:31 2

25. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


We would say what we did about the tracking issue, and what we're already saying: fix it please.

posted on 17 May 2011, 15:55 1

28. taco50 (banned) (Posts: 5506; Member since: 08 Oct 2009)


Actually what you said was this:



*Rolls eyes* amount of time I spend on public wifi with my phone: practically zero.

Sounds like the fix is already in place in 2.3.4. If Google fixes it for older versions, awesome. But this sounds like more anti Android fear mongering.

posted on 17 May 2011, 16:27 3

29. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


Yes, I said that it would be awesome for Google to fix it. Way to self own, Taco.

posted on 18 May 2011, 15:20

45. taco50 (banned) (Posts: 5506; Member since: 08 Oct 2009)


Apparently you can't even comprehend your own posts. The meaning behind your posts was that this is anti android fear mongering and if google fixes great but if not no biggie. You were owned by your own post. And I could do this easily all the time because you constantly contradict yourself.

posted on 17 May 2011, 14:51 1

23. DD (unregistered)


So when on wifi, is there some kind of firewall/stopper or app that can be used to prevent hacks on Droid? If so which one? I'm almost never on wifi but just incase

posted on 17 May 2011, 15:12 3

24. LionStone (Posts: 468; Member since: 10 Dec 2010)


Don't worry about it...if it could be done, it would have been done by now...yaawn

posted on 17 May 2011, 15:48 1

26. wow77 (unregistered)


If this was an Iphone everyone would be shitting there pants, but it's android so everything is ok haha

posted on 17 May 2011, 16:30 3

30. Sniggly (Posts: 7183; Member since: 05 Dec 2009)


That's because the iPhone is made out to be the paragon of perfection, while Android is all about continual improvement. If there's a problem, we expect that it will be fixed. But if it's the iPhone, we find it funny because of how much it's treated like Jesus by the fans.

posted on 17 May 2011, 15:52

27. wow77 (unregistered)


If this was the Iphone everyone would be shitting their pants, but because it's android everything is just dandy.

posted on 17 May 2011, 16:54

31. luis_lopez_351 (Posts: 951; Member since: 18 Nov 2010)


YOu have to be really stupid to trust android with anything... just for fun: you must be really boring and retarded if you use an iphone. But now my medicine: I must be very Strick, old and Neat if you have Rim or Symbian... There! We all win :)

posted on 17 May 2011, 17:23 1

32. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


too bad they both are having slow painful deaths

posted on 17 May 2011, 17:57

33. IOS5 (unregistered)


Old and neat if you have Rim or Symbian?!! You High or something!

RIM 85% of the user teen and preteen?!!!!!
Symbain still surviving but with car mechanic that using the LED light to check the Engine/car?!!!

Idos Amigo!

posted on 18 May 2011, 01:35

37. luis_lopez_351 (Posts: 951; Member since: 18 Nov 2010)


A teenager can be using a recently released feature phone and it doesnt make it new. Go play with you Mp3 player called Ifraud. ;)

posted on 18 May 2011, 04:40

38. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


You know companies are making new kind of featurephones so your argument about something newly released not being new is planning weird, so yeah go play with your enterprise excuse of a smarphone.... oh wait you can't do that can you? Good luck with that "cool" Symbian phone too let's see how much it will last

posted on 17 May 2011, 23:58

35. obvious (unregistered)


well 5 yrs ago it would go like this...

"hey man, browser 2.0 has a security hole!!!""

"ver 2.1 fixes it man, google it... :)"


oh, and www youtube com/watch?v=kTfy96gb2KI

posted on 18 May 2011, 01:23

36. droidnator (Posts: 87; Member since: 10 Mar 2011)


This is bad. I'm a huge Android fan(boy), but this IS a big f*n deal! Let's not turn a blind eye to a big problem like this, just because we love the OS. Love is blind, at least all of you try not to be (blind), and keep an open mind! This better get fixed, I use open Wi-Fi all the time, I hate the notion of strangers being able to poke with their dirty fingers in my personal data!

posted on 18 May 2011, 04:46

39. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


What phone you have? This problem could be fixed with google death ray but may be handled with an update so if you have let's say OG droid you are cool

posted on 18 May 2011, 05:43

40. Android Applications Developme (unregistered)


This problem is basically with Android 2.3.4 and password gets hacked. Stop using public Wi-FI — coffee shops, book stores, etc to prevent this hacking.

posted on 18 May 2011, 13:20

44. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


good news for people
Google decided to fire up its death ray and fixing this issue, cheers
http://goo.gl/qAjQo

posted on 19 May 2011, 01:53

46. droidnator (Posts: 87; Member since: 10 Mar 2011)


Mysterious are the ways of the Goog. But they sure work fast (when they want to). Good news indeed.

Want to comment? Please login or register.

Latest stories