Virtually all Android smartphones vulnerable to hackers
Published 18/05/2011 | 15:39
Almost all Android smartphones are vulnerable to personal data theft when connected to an unencrypted WiFi network, security researchers have revealed.
By eavesdropping on data sent to the Google Calender, Contacts and Picasa apps, hackers could steal login credentials and gain full access to accounts.
"For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," wrote the researchers, from the University of Ulm.
“This means that the adversary can view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."
The vulnerable data are known as Authentication Tokens. They allow users to log in to online services via apps for up to two weeks at a time.
Normally Authentication Tokens are sent to smartphones as encrypted files, but the researchers found that handsets running Android up to version 2.3.3 receive them as plain text files that can be read by anybody.
Using freely-available “sniffing” software, hackers could grab the data from the air, making it “quite easy" to hijack Google Calender, Contacts and Picasa accounts, the researchers said.
Google has said it is aware of the vulnerability and has patched it in the latest Android update, version 2.3.4.
However 99.7pc of Android handsets in use run version 2.3.3 or earlier, and the update schedule is controlled by mobile networks, not users.
The researchers, who published their findings online, recommended that Android users avoid connecting via unencrypted WiFi networks until they reeive version 2.3.4.