Could 99.7% of Android devices be leaking personal data?

Google's Android chucking out data?
Google's Android chucking out data?

Android phones could be offering up usernames and passwords to hackers, allowing sensitive data to be siphoned off.

Researchers from the Institute of Media Informatics at Ulm University have discovered that Android devices could offer up user's Google Calendar, Contacts and Picasa information.

The research found that devices using Android 2.3.3 and older using ClientLogin (which is used to authenticate apps from a remote destination) could potentially be hacked if using a non-secure connection, such as open Wi-Fi hotspot.

This means up to 99.7% of devices could be open to the exploit, which works by sending a request for an authentication token (authToken) from the Google service with a user name and password over a secure connection, and the received item is then valid for 14 days.


This means anyone with the correct equipment could sniff it out and use it on the same application to find your details, and even head in and modify all items from your Contacts, Calendar or Picasa.

Google has patched the problem in Android 2.3.4 for Contacts and Calendar, but not Picasa yet, according to the research. Android 3.0+ devices appear to be unaffected.

Bastian Könings, Jens Nickels, andFlorian Schaub from the University of Ulm, write in the research: "The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data.

"For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing.

Adverse action

"For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

The research suggests that if you can't upgrade to Android 2.3.4 the best thing to do is avoid open Wi-Fi networks altogether, although this is pretty sage advice for the most part anyway for anyone using wireless data.

TechRadar has contacted Google to see if it's aware of the issue and whether legacy devices will be receiving a patch in the future, although the research team has already spoken to the Android Security Team and it has confirmed it is looking into the problem

Via The Register

Gareth Beavis
Formerly Global Editor in Chief

Gareth has been part of the consumer technology world in a career spanning three decades. He started life as a staff writer on the fledgling TechRadar, and has grown with the site (primarily as phones, tablets and wearables editor) until becoming Global Editor in Chief in 2018. Gareth has written over 4,000 articles for TechRadar, has contributed expert insight to a number of other publications, chaired panels on zeitgeist technologies, presented at the Gadget Show Live as well as representing the brand on TV and radio for multiple channels including Sky, BBC, ITV and Al-Jazeera. Passionate about fitness, he can bore anyone rigid about stress management, sleep tracking, heart rate variance as well as bemoaning something about the latest iPhone, Galaxy or OLED TV.