Google plugs Android security holeBy Johan Keyter 19 May 2011 | Categories: news
Google's popular Android operating system (OS), running on a myriad of mobile devices today was recently found to contain a security hole allowing sensitive data to be accessed without a user's authorisation. According to The Register, Google seems to have solved the issue, which affected some 99% of Android users.
Researchers from Germany's University of Ulm made the discovery earlier this week, finding that the weakness stemmed from an authentication protocol named ClientLogin found in Android versions 2.3.3 and earlier, still used on the majority of smartphone devices as well as some tablets.
The breach allowed hackers to gain access to user accounts on the Android servers by stealing digital credentials used to access Google Calender, Contacts and possibly other accounts. “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so,” the researchers wrote.
Attacks could be launched over Wi-Fi and other open networks where hackers could copy the so-called authTokens which is created when users log in to the Google Calendars and Contact services. These files could then be used to access their accounts.
Google quickly responded to the leak, with a server-side fix being implemented to address the problem. “Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no actions from users and will roll out globally over the next few days,” a Google spokesman stated.
It's good to see a fix coming in a timely manner, but the vulnerability raises a number of critical questions regarding the security of the Android OS. If independent researchers were needed to find this flaw, how many others are out there still waiting to be uncovered?
Most Read Articles
Have Your Say
What new tech or developments are you most anticipating this year?