Privacy Flaw Exposes 99.7% of Android Phones to Snoop Attacks

May 20, 2011
Cyber Security, FedCyber Wire
No Comment

via Fox News

Nearly every smartphone running the Google Android platform today is readily vulnerable to data snoops and cyberthieves, who can easily pluck information from them over ordinary Wi-Fi networks, German security experts discovered.

And as consumers increasingly rely upon their phones for banking, shopping, and storing photos, phone numbers and addresses of friends and relatives, flaws like this only underscore the lack of security on today’s hottest gadgets.

“The reality is, you’re carrying around a desktop computer in your pocket — but there’s no security like there is on computers,” explained Dave Aitel, president of security firm Immunity Inc. and a former computer scientist for the National Security Agency.

And no smartphone comes with antivirus software, experts noted.

Android-based smartphones use security tokens to grant access to only certain bits of information on the phone, Aitel explained, such as the Calendar or Google Reader. The token for Gmail is encrypted; all other tokens are unencrypted, he said — and they’re incredibly easy to steal.

“The tokens are essentially keys that only unlock part of the house,” Aitel told And because they’re passed to Google servers unencrypted, a cybersnoop could easily swipe one while a consumer is surfing the web in Starbucks.

The crook could then use the token to log in to his Google Calendar with complete access.

The “authtokens” last as long as two weeks, explained Florian Schaub, one of the computer scientists with Ulm University in Germany who identified the security problem. “An attacker can comfortably access these tokens” and then use them at his leisure, he told

Schaub said he and his colleagues were stunned that no one had uncovered the problem before.

“We were really surprised. Were we really the first ones to find this?” he wondered. The finding was even more alarming given that Google offers more secure ways to access its services.

Continued here.