Majority of Android Devices Vulnerable to Session Hijacking Attacks


Recommended Posts

Majority of Android Devices Vulnerable to Session Hijacking Attacks

Security researchers have discovered a vulnerability in Google's ClientLogin authentication protocol which allows potential attackers to execute session hijacking attacks against Android users.

The security hole was identified by researchers from the Institute of Media Informatics of the University of Ulm in Germany and builds on the findings of Rice University professor Dan Wallach.

In February, Mr. Wallach discovered that many Android applications sent data in clear form, a problem on unsecured wireless networks where attackers can freely sniff out traffic. The Rice University professor concluded that "an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar."

"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," said Bastian Könings, Jens Nickels, and Florian Schaub from the German university.

"Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs," they added.<br style="">

<br style="mso-special-character:line-break">

Full story here: http://news.softpedia.com/news/Majority-of-Android-Devices-Vulnerable-to-Session-Hijacking-Attacks-200822.shtml

Link to post
Share on other sites
May 17, 2011 6:45 PM PDT

How to protect your Android on public Wi-Fi

Android phones and tablets running version 2.3.3 and earlier suffer from a calendar and contact information vulnerability on public Wi-Fi networks, according to a new report. However, there are some concrete steps you can to protect yourself.

Here's how it works. The vulnerability is in the ClientLogin Protocol API, which streamlines how the Google app talks to Google's servers. Applications request access by sending an account name and password via secure connection, and the access is valid for up to two weeks. If the authentication is sent over unencrypted HTTP, an attacker could use network sniffing software to steal it over a legitimate public network, or spoof the network entirely using a commonly-named public network, such as "airport" or "library." While this won't work in Android 2.3.4 or above, including Honeycomb 3.0, that only covers 1 percent of in-use devices.

Of course, the safest solution is to avoid using public, unencrypted Wi-Fi networks by switching to mobile 3G and 4G networks whenever possible. That's not always an option, especially for Wi-Fi-only tablet owners or those on tight data plans.

... Read full post & comments - http://download.cnet.com/8301-2007_4-20063792-12.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...