A group of researchers at a German university has uncovered a vulnerability in Android smartphones which allows hackers to get hold of a user's contact and calendar data over open Wi-Fi network.

Researchers from the University of Ulm have found that all Android versions 2.3.3 or older - which constitutes 99.7 percent of Android phones currently in use - are vulnerable to data thefts over unencrypted Wi-Fi. However, Android 3.0 and 2.3.4 are exempted from such attacks.

The vulnerability is rooted in the ClientLogin authentication protocol. To use Google services, an installed app requests an auth code or token from Client Login to gain access to the service. The user supplies the username and password to the app. The app then makes a ClientLogin call to Google's authorization service seeking an authorization token (authToken). The app then uses the auth token to request data access from a Google service. The auth code can be used to make subsequent data calls and is valid for about two weeks.

However, if the auth token is used to make calls to access Google service on an open or unencrypted Wi-Fi, a hacker or an adversary can capture the authToken which can be used later to access data made available through the service APIs. An impersonator can gain access and manipulate personal data like Google Calendar, Contacts and Picassa Album.

Hackers can gain access to multiple authTokens by setting up a rogue Wi-Fi access point which impersonates the original Wi-Fi, with the same name as an original open Wi-Fi provider like Starbucks, AT&T or T-Mobile. The hacker then waits for Android phones with default settings to connect to the Wi-Fi and siphons off the authTokens requested for various Google services.

Android users can secure themselves from such attacks by either upgrading their Android versions to Android 2.3.4 or by switching automatic syncing with open Wi-Fi networks. Also they can avoid open Wi-Fi settings and by letting the device forget an open network that a user previously connected to, in order to prevent automatic reconnection.

The researcher tested the attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps.

Google explains the ClientLogin process by citing an example of an installed application that communicates with Google Calendar. Google states: To accomplish this, you need to get access to a user's Calendar account. Before you can access the account, you need to request authorization from Google. Once you've been successfully authorized and received a token, you can access your user's Calendar data, referencing the token in each request.

The ClientLogin Authorization Process:


ClientLogin authorization process