Product Reviews
Take Action
Back
SIGN THE PETITION

Fight for Fair Finance

Tell the administration and Congress to stand up for the consumer watchdog that protects you from financial fraud and abuse.
Take Action
Why Do We Have Campaigns?
We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

Researchers: Nearly all Android phones leak personal data

Consumer Reports News: May 17, 2011 12:13 PM

New research from computer scientists at the University of Ulm in Germany have found that 99.7 percent of Android-powered smart phones are leaking data that, if stolen, can allow criminals into the personal data stored on Google's online services, or cloud.

The issue, say the researchers, is how the Google Android system uses software code—called authTokens—that allow users to log in to Google Calendar, Google Contacts, and other cloud-based services. According to the researchers, these tokens sometimes aren't encrypted or specific to the smart phone sending them. What's more, the tokens are valid for weeks at a time.

These three factors make it easy for a hacker to grab the data and access the personal data stored on Google's cloud. The researchers wrote on the University of Ulm's blog:

To collect such authTokens on a large scale an adversary could setup a Wi-Fi access point with a common SSID ( evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately...the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

The researchers suggest if you're an Android user, you should:

Update your phone to the current Android version (2.3.4) as soon as possible. Depending on your phone vendor, however, you may have to wait weeks or months before an update is available for your phone. Hopefully this will change in the future.
  • Switch off automatic synchronization in the settings menu when connecting with open Wi-Fi networks.
  • Avoid open Wi-Fi networks when using affected apps.
  • You'll find other security threats from cell phones in our report, Mobile phones: The new risk. And for tips on protecting your personal data on all your devices, see Consumer Reports' Guide to Online Security.

    Catching AuthTokens in the Wild, The Insecurity of Google's ClientLogin Protocol [University of Ulm]
    99.7% of all Android smartphones vulnerable to serious data leakage [ZDNet]
    Android handsets 'leak' personal data [BBC News]

    Paul Eng

    Find Ratings

    Security Software Ratings

    View and compare all Security Software ratings.

    Computers Ratings

    View and compare all Computers ratings.

    E-mail Newsletters

    FREE e-mail Newsletters! Choose from cars, safety, health, and more!
    Already signed-up?
    Manage your newsletters here too.

    Recalls News

    Cars

    Cars Build & Buy Car Buying Service
    Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

    See your savings

    Mobile

    Mobile Get Ratings on the go and compare
    while you shop

    Learn more