Android phones could be offering up usernames and passwords to hackers, allowing sensitive data to be siphoned off.

Researchers from the Institute of Media Informatics at Ulm University have discovered that Android devices could offer up user's Google Calendar, Contacts and Picasa information.

The research found that devices using Android 2.3.3 and older using ClientLogin (which is used to authenticate apps from a remote destination) could potentially be hacked if using a non-secure connection, such as open Wi-Fi hotspot.

This means up to 99.7% of devices could be open to the exploit, which works by sending a request for an authentication token (authToken) from the Google service with a user name and password over a secure connection, and the received item is then valid for 14 days.

Exploit

This means anyone with the correct equipment could sniff it out and use it on the same application to find your details, and even head in and modify all items from your Contacts, Calendar or Picasa.

Google has patched the problem in Android 2.3.4 for Contacts and Calendar, but not Picasa yet, according to the research. Android 3.0+ devices appear to be unaffected.

Bastian Könings, Jens Nickels, andFlorian Schaub from the University of Ulm, write in the research: "The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data.

"For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing.

Adverse action

"For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

The research suggests that if you can't upgrade to Android 2.3.4 the best thing to do is avoid open Wi-Fi networks altogether, although this is pretty sage advice for the most part anyway for anyone using wireless data.

TechRadar has contacted Google to see if it's aware of the issue and whether legacy devices will be receiving a patch in the future, although the research team has already spoken to the Android Security Team and it has confirmed it is looking into the problem

Via The Register