Android Phones Guilty Of Shocking Data Security Fail

News is breaking today of a potentially very dangerous weakness in the Android token authentication for gmail calendars. On the face of it not a major risk, however if you scratch a little deeper there are some real dangers here.

This problems occur because Android phones and the Gmail calendars are exchanging tokens for access in plain text, meaning that they can be intercepted and re-used for other purposes. The vulnerability means that a stolen token can be used to access a Google account's calendar, contacts and photos.

A clued up criminal will therefore be able to access your contacts and potentially re-direct your outgoing email; use the information in your calendar to establish when your home is empty (or worse) and use your photos and tagging information to identify your children and create a plausible story for accessing them.

I'm sure those of a more devious mind will find more ways of exploiting this vulnerability.

Google have apparently fixed the problem in 2.3.4, but as next to no phones are actually running this version Android that's not really great news.

Time to prove that fragmentation isn't the risk its claimed to be by others and deliver hot fixes to all Android versions very quickly indeed.

0 comments: