14 DAY TRIAL // Google has patched a security hole in its ClientLogin authentication protocol which allowed potential attackers to steal authentication tokens for several services.
Last week, researchers from the University of Ulm in Germany published a research paper that revealed that over 99% of Android smartphones were vulnerable to session hijacking attacks.
This was because Google Calendar and Contacts sync operations were being performed over unencrypted connections.
Just like with browsers and session cookies, sending authentication tokens over plain HTTP connections poses a lot of risks, especially when connected over open Wi-Fi hotspots.
Attackers can capture the unecrypted traffic by mounting a so called evil twin attack where they duplicate the wireless network SSID, and extract the ClientLogin authentication tokens.
The tokens remain valid for 14 days and allow attackers to download the victim's calendar information and contact book.
In order to mitigate this, Google has made some server-side changes that now forces all Android devices to use HTTPS connections when syncing calendar and contacts.
"We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," a Google spokesperson told InformationWeek.
The security issue had already been addressed in Android 2.3.4 and 3.0, however, only a very limited number of devices currently have these versions of Android installed.
Given the slow pace with which device manufacturers roll out Android updates there were fears that it will take a lot of time until many devices will receive a patch.
A server-side fix is clearly a better solution; however, Picasa syncing is still done over HTTP for the time being, so the problem is not completely addressed.