Android phones insecure on public Wi-Fi

Researchers have shown that Android handsets use insecure authentication that could let hackers access your Google Contacts, Calendar and other services.

The ULM University carried out a test of Android handsets and found that on public Wi-Fi networks, which don’t use encryption, it was possible to capture the authentication token (authToken) from Google. This authToken can be used for up to two weeks to access Google services, including Google Calendar and Contacts. This isn’t the limit of the problem and any application that uses the ClientLogin authentication process is potentially at risk.

“Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs,” said the report.

The problem is that the authToken is passed insecurely over standard HTTP, rather than using HTTPS. This makes it possible to steal on an unsecured network. ULM University also warned that a hacker looking to grab tokens on a large scale could set up a rogue Wi-Fi network with a common SSID of a public network (known as an Evil Twin) and capture all Android phones that connect to it.

In testing, the researchers used Android 2.1, 2.2, 2.2.1, 2.3.3 and 2.3.4 for smartphones, as well as Android 3.0 for tablets.

It was found that only Android 2.3.4 and higher used HTTPS for Calendar and Contacts Sync to keep the data secure, although even these versions still used the insecure HTTP for Picasa Sync in the Gallery app. As of 2nd May 2011, this means that 99.7 per cent of Android handsets are currently at risk.

Fixing the problem isn’t so easy for Android owners, though, as handset manufacturers are often slow to roll out updates or stop providing them at a certain version. Our advice is to be careful when using public Wi-Fi networks and turn off Wi-Fi when you don’t need it to prevent your phone from accidentally connecting to a rogue access point.