Google on Wednesday began distributing a patch to address a security flaw in all but the latest versions of its Android mobile operating system.
The vulnerability could allow an attacker to snoop on phones used on unencrypted Wi-Fi networks to gain access to calendar and contacts information.
“This fix requires no action from users and will roll out globally over the next few days,” Google said in a statement sent to SCMagazineUS.com on Thursday
The search giant’s update forces an HTTPS connection to encrypt traffic from Android devices to Google Calendar and Contacts servers, so an attacker listening in on an unprotected Wi-Fi network cannot intercept the authentication tokens, known as authTokens, used to validate devices.
Google’s fix is being implemented on the server side, meaning it does not require a software update. Google is still investigating whether the issue affects its Picasa Web Albums service, which reportedly also is affected.
In a report released Friday, a team of researchers at Germany’s Ulm University revealed that an attacker could use a packet analyzer tool, such as Wireshark, on unencrypted Wi-Fi networks to capture the authTokens used by Android devices when communicating with certain Google services.
Once captured, an adversary could use the authToken to gain full access to a user’s Calendar and Contacts data.
The issue does not affect the latest Android versions, 3.0 for tablets and 2.3.4 for smartphones, but does impact 99.7 percent of all Android smartphones, which use the vulnerable versions 2.3.3 and later, according to Bastian Könings, Jens Nickels and Florian Schaub, the Ulm University researchers who authored the report.
Worse, the sniffed Calendar authTokens are potentially valid for two weeks, enabling adversaries to capture the tokens, then make use of them at different times and locations, the researchers said.
The issue involves the ClientLogin authentication protocol, which allows users to gain access to their Google Calendar or Contacts account from inside the corresponding Android application. To access these services, the installed application makes a ClientLogin call to Google’s authorization service and provides the user’s login credentials. Upon successful login, Google provides the application with an authToken that can be used to access the requested data.
It is “possible and quite easy” to launch such an attack against Google Calendar, Contacts and Picasa Web Albums service, they added.
Because the issue does not reside in the Android platform itself, Google does not have to rely on its carriers to deliver the fix, which is rolling out over the next several days. In the meantime, researchers cautioned users to avoid accessing affected apps on open Wi-Fi networks.
Joe Pappano, vice president of technical services at mobile device management company Fiberlink, told SCMagazineUS.com in an email Thursday that this flaw does not necessarily pose a significant risk to enterprises but it brings to mind a fundamental security concern involving the Android devices.
“Most companies are taking a wait-and-see approach to Android adoption,” he said. “The primary reason why companies are concerned about large-scale Android deployments is due to how powerless they are to address significant Android vulnerabilities.”