It seems that the more connected smartphones get, the more vulnerable they become to hackers as well as those with ill intentions. After all, that is what we are up against with the most recent word of up to 99.7% (that’s virtually every single one of them Android-powered phones) Android smartphones do leak login data for Google services, while opening up other access to information that is stored in the cloud – at least this is alleged by German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm.
The reason behind all the potential leak is due to the fact that applications which deal with Google services do request authentication tokens. The upside of these tokens would be doing away with the user’s need to login to the service, but sometimes they are sent in plain text form over wireless networks – which translates to anyone eavesdropping on the Wi-Fi network being able to grab hold of these tokens, and hijack your handset. In addition, since the tokens are not specific to the handset, it means a token that is meant for a particular handset could see action on another instead.
What are some of the implications of this potential PR disaster? It could result in disclosure to loss of personal information for the Calendar data. As for Contact information, private information of others will also be affected, and that includes the potential of having your phone numbers, home addresses and email addresses being snooped at. Even worse is the longevity of such tokens – imagine taking 14 days for your Calendar token to expire!
For those who rely on Google services over their Android smartphone for everyday use, here are some suggestions to plug up these holes. Start by upgrading to an Android version that offers HTTPS for Google Calender and Contacts sync, or turn off automatic sync when using open Wi-Fi. Last but not least, steer clear of affected apps on open Wi-Fi connections.