University Study: Google's Android OS ClientLogin Vulnerable to Hijacking

Catching AuthTokens in the Wild – The Insecurity of Google’s ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011

“In a recent blog post Dan Wallach outlined some of the risks of using Android smartphones in open Wifi networks. He found that some Android applications transmit data in the clear, allowing an attacker to eavesdrop any transmitted information. Besides third-party apps, such as Twitter or Facebook, also the Google Calendar app transmitted unencrypted information. Wallach stated that “an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar”. A fact that also applies to Google Contacts as another blog post revealed. We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

Facebook LinkedIn

Posted in: ID Theft, Privacy, Search Engines

University Study: Google's Android OS ClientLogin Vulnerable to Hijacking

Thank you!