Android users risk exposing their Google calendars, contacts and other personal details when logging on to unencrypted Wi-Fi networks, say researchers at the University of Ulm in Germany. A weakness in ClientLogin, the authentication system used to access Google services, means that 99.7 per cent of Android smartphones could be attacked.
ClientLogin is designed to increase security by using authentication tokens rather than your username and password. Apps like Google Calendar send your login details to Google's servers and receive a token authorising them to connect, which remains valid for a maximum of two weeks.
Theoretically this means your account is more secure, because your login details aren't constantly being sent over the network, but the researchers found that tokens are being sent over unencrypted connections, allowing an attacker to copy them and use them themselves.
So, how serious is this? Well, attackers could potentially gather tokens by setting up a Wi-Fi network with a commonly used name, such as "starbucks", since the default setting of Android phones is to connect to previously known networks. The attacker could then gather tokens and use them to access your data, which could have serious implications.
Anyone with access to your calendar or contacts could modify the data, in addition to simply reading it, and you may not even notice. For example, the researchers suggest an attacker could change the stored email address for your boss, hoping to receive confidential information about their business.
Google has fixed the exploit in latest version of Android, 2.3.4, but the open nature of the operating system means the vast majority of phones are still using an earlier version. Every Android handset manufacturer and mobile phone network has to put out their own version of the update, and this can sometimes take months.
In the meantime, the researchers recommend avoiding open Wi-Fi networks, and setting your phone to forget any previously used networks to prevent automatic reconnection.
Jacob Aron, New Scientist