Nearly all (99.7%) of Google’s Android phones are vulnerable to hackers, according to new research.
The researchers from German University ULM found that the authentication tokens, which are sent when a Google user accesses their contacts, photos or calendar from their phone, are unencrypted and sent over non-secure networks.
The data being leaked is typically used to get at web-based services such as Google Calendar.
University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub made their discovery while watching how Android phones handle login credentials for web-based services.
Many applications installed on Android phones interact with Google services by asking for an authentication token – essentially a digital ID card for that app. Once issued the token removes the need to keep logging in to a service for a given length of time.
The researchers found that occasionally these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot so criminals eavesdropping on the wi-fi traffic would be able to find and steal them, suggest the researchers.
The study also found that Tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.
There is no suggestion that attackers are exploiting the Android loophole at the moment.
Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software.
Commenting on the findings, Omri Sigelman, Vice-President of AVG Mobilation, , said: “The latest research just shows that Android users need even more careful with their phones than they are with their PCs. All platforms are vulnerable to hackers, particularly at the beginning of their lives, but the openness and popularity of Android means that it is especially at risk.
“The fact that these tokens are being sent in plain text over non-secure networks is proof that some quite elementary mistakes have been made, even given the comparative newness of Android as a platform. Sadly, many operators don’t provide the necessary updates, leaving their users vulnerable to critical flaws like this one.”
Read the researchers’ blog here