Mobile Security and authTokens
Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or deleting is possible once you have the token. The tokens are valid for up to two weeks, so there’s no hurry involved. A few months ago the Firesheep plugin tried to address this design flaw with web applications. Similar to the Firesheep plugin you are at risk when sharing a network with our attacker – a wireless network comes to mind.
When it comes to mobile devices the process of upgrading is not as easy as you want it to be. Even though recent Android versions use encrypted HTTPS (starting with version 2.3.4), not all of the phones have their OS updated. The update process is tied by the mobile network provider. If you look at the statistics 99.7% of all Android phones have the protocol flaw.
This is yet another reason to scrutinise data transmissions of mobile networks, regardless on which level. We will present a review of the risks and weaknesses connected to mobile networks and their clients at the Linuxwochen in Eisenstadt on 21 May 2011, presenting some results from past DeepSec conferences. If you have found design flaws or weaknesses in mobile devices or other equipment, feel free to submit your work. Our Call for Papers is open.