Massive Android data leak - how worried do we need to be?

kutsu119 · 18 May 2011 at 8:24PM

Be avidly reading about this massive android mobile data leak - front page of the Metro, BBC, Sky News etc. It sounds as bad, if not worse, than the one that Apple were rightly chastised for (the data tracking thing).

As someone considering buying an Android mobile when my current contract expires, and the apparent difficulty of patching the phones due to how many different versions exist - how worried do we, the consumer, need to be?

steve1980 · 18 May 2011 at 11:32PM

As long as you have the latest version 4.2.3 I think, you're fine.

23n1th · 18 May 2011 at 11:55PM

It would appear that all you need to do to counteract this is to switch off the auto-sync (which I do to save battery power) and use secure networks when updating or syncing your apps.

kutsu119 · 19 May 2011 at 6:42AM

It's pretty poor on Google's part though - especially as so many people took the moral high-ground after the Apple fiasco..

paddyrg · 19 May 2011 at 9:26AM

I just use HSDPA/3G everywhere for everything, no worry about open networks that way. Yes, it is a security vulnerability and a severe one, but only in certain circumstances (promiscuous network activity is always going to be a risk though with any device)

Fifer · 19 May 2011 at 9:59AM

I accept there may be a vulnerability using an open wifi network, but with a properly secured home wifi network or 3G/mobile, is there really much of a vulnerability?

PS I think there's a typo in Steve's post above. The version of Android with the fix is 2.3.4

gaming_guy · 19 May 2011 at 10:25AM

...........

teffers · 19 May 2011 at 10:27AM

Using 2.3.4 so I'm not worried at all :cool:

paddyrg · 19 May 2011 at 1:06PM

Fix going in now... http://www.theregister.co.uk/2011/05/18/google_android_security_fix/

From what I understand...

Attackers monitoring Wi-Fi hotspots and other open networks could exploit the weakness by copying the so-called authTokens and using them to gain unauthorized access to users' Google Calendars and Contacts.

The fix forces Google servers to use an encrypted https connection when phones sync with Calendar and Contacts

mr_fishbulb · 19 May 2011 at 1:40PM

kutsu119 wrote: »

Be avidly reading about this massive android mobile data leak

Forgive me if I'm wrong, but there hasn't been a leak.

This news is of a vulnerability in the way that Android devices authenticate themselves when synchronising. The authentication is done by a token ID (basically a piece of text) which is sent unencrypted and are not one-time authenticators. This is vulnerable to a replay attack where anyone who gets a copy of your token ID can impersonate with it.

Basically a very similar to the vulnerability FireSheep highlighted to the masses where the of sending authentication cookies over http (unencrypted rather than https (encrypted) meant they could be captured and replayed.

23n1th · 20 May 2011 at 10:39AM

I also can't see how this can be worse than apples recent "software bug" which was collecting lots of private data from users.

Massive Android data leak - how worried do we need to be?

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free