Study finds 99.7% of Android phones prone to ‘impersonation attacks’

Study finds 99.7% of Android phones prone to ‘impersonation attacks’
Android might look like a safe system, but researchers from the German University of Ulm have discovered that using it on an open Wi-Fi network, leaves a hole open for impersonation attacks. Which devices are prone to the attack? 99.7% of Androids, or pretty much every device except for the few ones running on Android 2.3.4. The researchers summed up their finding about whether it’s possible to launch an attack against Google services:

Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

It’s the unencrypted http protocol used by the ClientLogin that allows for the user’s password and username to be easily sniffed. The scale of this is pretty big as the researchers further explain:

“For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.”

Luckily, it seems that the secure https protocol has been implemented for the calendar and contacts authentication in Android 2.3.4, but pictures synced through Picasa could still be a subject to the attack. To minimize the chance of having your data stolen, you could avoid using public open Wi-Fi networks or turn off automatic syncing from the Settings menu in your Android device. Hopefully, Google will release a fix for the issue now as the research has been published, but in the meantime let us know your opinion. Is that a serious issue for you?

source: University of Ulm via TheNextWeb

FEATURED VIDEO

44 Comments

1. remixfa

Posts: 14605; Member since: Dec 19, 2008

so.. he can look at my contacts and view my pictures. the horror! As long as he cant use it to get my banking info from other apps, not a big deal.

43. Lucas777

Posts: 2137; Member since: Jan 06, 2011

did u really just try and make a security breach sound good? cause if this happened to iphone (which they are not stupid enough to do) it would be the next watergate...

2. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

The best approach is an ounce of prevention - don't use public WiFi for anything you wouldn't be comfortable posting on the Internets for the rest of the world to see. Now that a security hole has been identified, I wonder what the response of the handset manufacturers will be. Will they be releasing a patch that closes the vulnerability for existing handsets? Or, will they require purchasing a new handset?

3. Sniggly

Posts: 7305; Member since: Dec 05, 2009

*Rolls eyes* amount of time I spend on public wifi with my phone: practically zero. Sounds like the fix is already in place in 2.3.4. If Google fixes it for older versions, awesome. But this sounds like more anti Android fear mongering.

8. taco50

Posts: 5506; Member since: Oct 08, 2009

Yes how dare phonearena report something that's negative about android. Hopeless fanboy

16. Sniggly

Posts: 7305; Member since: Dec 05, 2009

It's an issue, but much less threatening and ominous than Phonearena is making it sound. Why are you even here commenting on an Android article? Don't you bitch when we show up on your Apple articles? If you're allowed to BS about anything negative related to Apple, I'm allowed to call BS about this stupid fear mongering.

19. SomeGuy unregistered

First off, Phone Arena didn't make this up. "source: University of Ulm via TheNextWeb" Another thing, it gets old when there are rumor articles about the new iPhone, or an article about Apple's profitability and then it becomes an Android vs. iOS debate. It's like this: PA: Apple's profitability is the highest its ever been... Fandroid: ANDROIDZ HAS DA FLASH! ME: WTH does this have to do with anything in this article?

20. SomeGuy unregistered

I gotta say, though, that this taco50 guy is pretty annoying/ignorant.

21. taco50

Posts: 5506; Member since: Oct 08, 2009

I'm actually not commenting on the article. I was commenting on your dumb fanboy post. Reading comprehension is needed to reply intelligently.

34. Sniggly

Posts: 7305; Member since: Dec 05, 2009

You are in the comments section on this article. You fail.

42. Lucas777

Posts: 2137; Member since: Jan 06, 2011

obviously he put it as a response and not a new comment...

13. SomeGuy unregistered

You're right. Nobody uses public Wi-Fi, and everyone has 2.3.4 running on their phone. I'm sure Apple is behind this report... Steve Jobs I think. *peeks out window*

4. watash

Posts: 1; Member since: May 17, 2011

I kept receiving ads from a relative for sexual stimulants. After a series of these I asked why he was sending them. He said that HE was not sending them. You see, his nice "open", Android OS WAS open to his address book being hacked at the root and that information forwarded to a Canadian distributor who pushes cut-rate Viagra and similar products. The big problem is that he kept his Church registry of some 300 members stored on his Android OS phone. Yes, you guessed it; most of them received the cut-rate sexual stimulant advertisements. He eventually destroyed the phone and moved to a smartphone that has a "closed" OS..

5. protozeloz

Posts: 5396; Member since: Sep 16, 2010

he sure got it from android? because I get Viagra email from people with IOS, BB ad even with no phones at all, Facebook is being hacked and abused of, Hotmail is being hacked and abused of, GMAIL is being hacked and abused of, even PlayStation network got hacked with GOD knows what sensible info, and most of them have all your contacts their phones and emails with them, and it seems prevention and caution from the user is the only solution. also he could have sold the phone and got some money out of it instead of breaking it... just saying

7. Benny unregistered

I believe your level of technical knowledge to be practcally nill... Your relative never needed to destroy a phone, just understand it enough to reduce or eliminate the risk of data becoming compromised. Closed doesn't mean safer, just less choices for content and functionality on the device. Who wants to have to plug into a computer just to get ne media??? Come on, that is the past.

12. SomeGuy unregistered

Pretty sure you can download music, games, movies, and everything else straight to an iDevice.

9. cadet unregistered

let me guess, you own an iPhone?

6. protozeloz

Posts: 5396; Member since: Sep 16, 2010

another reason to stick with my unlimited 3G plan and my mifi

10. TheFunnyMan

Posts: 77; Member since: Jan 26, 2011

Android is open source.....meaning that anyone and everyone can get access to the source coding for the OS. If you use a public network wifi, with no firewall or stopper on your system, you deserve to be hacked.

14. remixfa

Posts: 14605; Member since: Dec 19, 2008

thats actually NOT what android open source means.. but hey, if ur an idiot, keep thinking that. :)

17. Sniggly

Posts: 7305; Member since: Dec 05, 2009

Thank you. I don't know why idiots like him keep believing that.

11. iami unregistered

So seriously what program would i need to download to be able to do this. There are some hot chicks at my school id love to see what saved on the phones lol.

18. Steve Jobs unregistered

Yeah, and you can use the amazon player for music that is one their cloud storage...so what is that guys point?

22. 530gemini

Posts: 2198; Member since: Sep 09, 2010

Wow, after reading the comments from android users on here, they're actually very understanding and kind and forgiving and lenient users. Oh wait, this is about android devices' vulnerability to hackers, lol I wonder how understanding, kind, and lenient they would be if this is about the iphone? Hahahahahaha.

25. Sniggly

Posts: 7305; Member since: Dec 05, 2009

We would say what we did about the tracking issue, and what we're already saying: fix it please.

28. taco50

Posts: 5506; Member since: Oct 08, 2009

Actually what you said was this: *Rolls eyes* amount of time I spend on public wifi with my phone: practically zero. Sounds like the fix is already in place in 2.3.4. If Google fixes it for older versions, awesome. But this sounds like more anti Android fear mongering.

29. Sniggly

Posts: 7305; Member since: Dec 05, 2009

Yes, I said that it would be awesome for Google to fix it. Way to self own, Taco.

45. taco50

Posts: 5506; Member since: Oct 08, 2009

Apparently you can't even comprehend your own posts. The meaning behind your posts was that this is anti android fear mongering and if google fixes great but if not no biggie. You were owned by your own post. And I could do this easily all the time because you constantly contradict yourself.

23. DD unregistered

So when on wifi, is there some kind of firewall/stopper or app that can be used to prevent hacks on Droid? If so which one? I'm almost never on wifi but just incase

24. LionStone

Posts: 1048; Member since: Dec 10, 2010

Don't worry about it...if it could be done, it would have been done by now...yaawn

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.