Google authentication protocol flaw endangers Android users

If you’re an Android user that has still not upgraded to the 2.3.4 and 3.0 version, you’re in danger of having the information contained in various Google applications accessed by malicious individuals if you’re using unsecured open Wi-Fi networks.

The fact was proven by three German scientists who decided to test the assertion – made by other researchers – that it was possible to impersonate an Android user to Google Calendar and Google Contacts.

The problem lies in the fact that the ClientLogin authentication protocol used by many Google services requires the application on the user’s device to send out the user’s account name and password via a HTTPS connection, but reciprocates with an authentication token that is sent over unencrypted http.

That wouldn’t be a huge problem if the authentication token expired fast, but according to their test, some are meant to last up to 14 days. So, an attacker can sniff out the token while is being sent, and use it to access the information saved on Google servers since the token is not tied to any session or device specific information.

“For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user,” explain the researchers, and compare the attack to sidejacking.

And while Google has already moved to patch the flaw when it comes to the tokens sent by Calendar and Contacts during synchronization, the Gallery app/Picasa synchronization is still using http and thus is still vulnerable.

What can users do about that? Well, for one, they could update their Android to the current version. Avoiding open Wifi networks and switching off automatic synchronization for the apps is also a good idea.