Mac OS of Apple was having a nightmare with the MacDefender (Mac Malware) Scareware recently but the attacker does not leave Android out of the party by introducing the latest Android security issue from a group of German Researchers. Android OS was not directly hacked but instead, it was the improper methodology of data transfer practiced which leads to 99.7% of Android users are affected. The only group of users who are not affected are the users who uses the Android version 2.3.4 (codenamed Gingerbread). However, most of the users are still with the earlier version of Android which lead to such big amount of users are affected with this vulnerability.
This Android security was compromised simply because the authentication token that was created during the ClientLogin can be stolen when data is transfered via third party application such as Facebook, Twitter and so on. The authentication token actually contains the user’s username and password and it is used to login from time to time at the back-end without needing the user going through the trouble to type their username and password over and over again. You can illustrate this authentication token a spare key while you yourself as the main key.
The fact is, if the data are not transmitted, you are completely safe. However, when data is transmitted, you are no longer in safe zone anymore because the data were transferred in HTTP layer instead of HTTPS layer. This also means that your authentication token were transmitted in an unencrypted transmission channel. As a result, anyone who taps your network connection especially in public Wi-Fi area will be able to view your personal credentials. They will be able to then view your contacts, edit or even delete them. To further worsen the Android security situation, this authentication token actually last for as long as 14 days and the attacker have plenty of time to attack your personal information in a very creative way which you are not going to like it.
Android Security – Solution?
For this Android security issue, there is one thing as an end-user you can do is to update your Android version to 2.3.4. I am not too sure whether you are able to do that with your smartphones or not as I myself is not an Android user. If you are not able to do so, you might want to think twice before using your smartphone in a unencrypted Wi-Fi zone or the zone that I called it, Public Wi-Fi. For those who are able to update to the version 2.3.4, you are also advisable to turn off the automatic synchronization feature in the settings menu while using your smartphone in the Public Wi-Fi zone.
The other solution is to wait. Google’s spokesman had already released a statement that they are going to release a patch on their server side to fix this vulnerability 4 days ago. Google do see this as a very big security issue and what I like here is the way they fix this issue. This issue is going to be fixed by them on the server side only which means that there is not going to be any security patch for all the existing Android users. In order words, this is going to be a world wide silent fix. Good news now is the issue is going to be fix but we should all stay extra careful when using your smartphone as not only Android security were breached, but other platform as well.
“Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.”