Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Swiped Tokens Expose Android Devices To Data Theft

CmdrTaco posted more than 3 years ago | from the swipe-the-leg dept.

Android 162

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

cancel ×

162 comments

Cloud and Google (-1, Flamebait)

x*yy*x (2058140) | more than 3 years ago | (#36154672)

Another case where it really is bad to store everything in the cloud. Is it just me or does Android seem to have these security problems come out almost every day? I hope Google secures its own servers a little better than what the amount of security problems on Android suggests...

Re:Cloud and Google (4, Insightful)

Anonymous Coward | more than 3 years ago | (#36154706)

Please. This is abhorrent fear-mongering.

This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.

Re:Cloud and Google (4, Informative)

jeffmeden (135043) | more than 3 years ago | (#36154836)

While it is fear-mongering, it is hardly as trivial as the Facebook hacks of yore. For one, there is no way to enable/require SSL for these tokens (at least in plain sight). Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

Therefore, if you have an Android phone you basically better never use WiFi at less than WPA2 grade encryption unless you want to risk your email and other services being compromised, period, end of story, no workaround.

I can only hope that thanks to the openness of Android, someone can code an app that allows for more granular control of what services are connecting at any given time, to at least give those with a clue the ability to stay safe when using open wifi.

Re:Cloud and Google (1)

h4rr4r (612664) | more than 3 years ago | (#36154892)

Sure there is, don't support unencrypted wireless on the devices.

Re:Cloud and Google (3, Insightful)

vajorie (1307049) | more than 3 years ago | (#36155116)

You missed this part:

turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...

Re:Cloud and Google (2)

asdf7890 (1518587) | more than 3 years ago | (#36155214)

You need to not use wireless at all in that case, aside from known trusted networks that you are sure contain only trusted clients. Unless you are using WPA-Enterprise all clients on the same AP are using the same encryption key so can decode each others packets (intercepted simply by putting your network adaptor into promiscuous mode) easily.

So public wireless is a no-no even if it is not working "plain" (no authentication/encryption), and private wireless is out too unless you have audited every device that has access.

You could get around this by using some for of VPN setup of course, but that option is not open to non-technical users.

Re:Cloud and Google (0)

Anonymous Coward | more than 3 years ago | (#36156710)

So basically then, because Google humped the dog & doesn't allow you to specify to use SSL Authentication, you should therefore not use any unsecured wifi to use your Andriod phone to access Google services?

Seriously, are you fucking KIDDING me?

So when Adroid has an issue, the response is "just don't use it"?

I wonder what the bloodbath would be here if this was the iPhone. Seriously, "it runs linux" is not a reason to ignore the fact that they fucked up again.

Seriously, you fucking Linux/Andriod fanbois are getting worse than the Jobswhores. Grow the fuck up already.

Mods: This is both trolling and flamebait. Please mod accordingly.

Re:Cloud and Google (1)

datapharmer (1099455) | more than 3 years ago | (#36154936)

Seems like it would be easy enough to require ssl for the tokens... can you explain why google couldn't just make this possible via an update? Alternatively they could provide an option to turn off sync when wifi is unsecured.

Re:Cloud and Google (1)

sfunk1x (2085698) | more than 3 years ago | (#36155008)

Who is stupid enough to connect to an unsecured wireless connection... with their personal cellular device?

Re:Cloud and Google (4, Insightful)

mpicker0 (411333) | more than 3 years ago | (#36155118)

Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?

Re:Cloud and Google (2)

tepples (727027) | more than 3 years ago | (#36155132)

Who is stupid enough to connect to an unsecured wireless connection

Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.

with their personal cellular device?

There isn't much of a difference between a "smartphone" and a "laptop" anymore except for size. Tethering and USB 3G modems have turned laptops into "personal cellular devices". (If you disagree, we may have run into a definition problem [google.com] .)

Re:Cloud and Google (2, Insightful)

Bill_the_Engineer (772575) | more than 3 years ago | (#36155412)

Sorry but that argument is lame and totally inappropriate. Google drop the ball on this one. If an application needs to transfer sensitive information back to a server then the application should ensure that it is done securely. It is bad practice to assume that the path to the server is secure.

Why are we only taking Wifi into account? I remember a while back talk about an exploit in GSM that allowed femtocells to eavesdrop on a cellphone's transmissions. Don't assume that wifi is the only weak link.

Re:Cloud and Google (0)

Anonymous Coward | more than 3 years ago | (#36155708)

Everyone? I mean, it should be perfectly secure nowadays, with SSL and the likes. Which is why this is an issue.

Re:Cloud and Google (1)

Illy-chan (2071302) | more than 3 years ago | (#36155812)

Plenty of people. Even if you're among those few who know better, sometimes you don't have a choice. If I'm in the middle of my building, I don't get a signal other than out unsecured wifi. Do you know how my superiors would look at me if I wasn't in contact with them during a major event and I told them it was because I was worried about something like this? At best, they'd stick tin foil on my head. That I'm right makes no difference and I'd rather not get fired.

Yeah, I have Droiwall to try and limit ways my phone can be exploited but that's not a cure-all. Besides, as dependent as the world has become on smartphones, I do think the manufacturers have some level of responsibility to protect customers who are at risk because they don't know better. It's too late to try and limit this type of tech to nerds.

Re:Cloud and Google (0)

Anonymous Coward | more than 3 years ago | (#36155314)

You realize that your WiFi traffic goes plain-text again as soon as it hits that first router? So you can trust a router that encrypts traffic over the air, but not one that ever does? Why is everyone so dense?!?

The traffic is not safe without end to end encryption...

Re:Cloud and Google (1)

jeffmeden (135043) | more than 3 years ago | (#36156010)

Given that someone can't sit next to me at Starbucks, or even in my driveway, and pick up packets off the wire and decode them, yes it is a LOT more worrying that this happens in the air as opposed to it being possible at all. I mean, how often did your PPP dialup and POP3 password get exploited for being transferred in cleartext? Sure, in a perfect world every single endpoint would have a major CA signed cert, and SSL/TLS would wrap every single packet on the internet. Until we get there, I will start my worrying with what happens over the air, and get to the wire when that's done.

Re:Cloud and Google (1)

arkhan_jg (618674) | more than 3 years ago | (#36157378)

Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.

Well, going to 'settings' -> 'accounts & sync' and turning off 'background data' would do it. Then nothing in the accounts and sync page (google calendar, contacts, facebook, exchange etc etc) will be silent syncing in the background on your untrusted network. A lot of third party apps also follow that setting, so it should pretty much kill off all unsolicited background connections unless individually requested in a given app.

If you want to only kill off specific services, and have those require a manual sync, just change the settings for those options under the same acccount & sync page [butterscotch.com] .

Re:Cloud and Google (-1)

Anonymous Coward | more than 3 years ago | (#36154850)

Yeah, it's irrelevant really. Android's abuse of DHCP leases (and Google's refusal to admit the problem exists) means Android devices will be banned from most public WiFi networks before anyone can exploit this.

Re:Cloud and Google (1)

Graham J - XVI (1076671) | more than 3 years ago | (#36155436)

This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks

True, the Facebook thing was a big deal too, and all over the news.

Re:Cloud and Google (0, Flamebait)

clang_jangle (975789) | more than 3 years ago | (#36154720)

Is it just me or does Android seem to have these security problems come out almost every day?

It isn't just you. So far the fanbois mod me down every time I say so, but android really is a huge disappointment. So ironic that Linux finally gets popular, but in such a form.

Re:Cloud and Google (1, Insightful)

mehrotra.akash (1539473) | more than 3 years ago | (#36154808)

A shiny,insecure UI will always be more popular than a Plain,secure one

Re:Cloud and Google (1)

kelemvor4 (1980226) | more than 3 years ago | (#36155808)

That's because shiny is much more important than secure. Learn to live in the parameters of reality, and improve upon weaknesses when possible.

Re:Cloud and Google (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36156566)

Which one is which?

Re:Cloud and Google (1)

mehrotra.akash (1539473) | more than 3 years ago | (#36156678)

Android vs Blackberry

or the old s60 could be considered as being somewhere in between

Re:Cloud and Google (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36156860)

What about Blackberry's Android? ;P

Re:Cloud and Google (1)

clang_jangle (975789) | more than 3 years ago | (#36154820)

See? Retards...

Re:Cloud and Google (3, Interesting)

TheGratefulNet (143330) | more than 3 years ago | (#36154898)

google is harming their own rep and they don't even care. or they are too big to stop it.

over the weekend I bought my first android tablet. I didn't expect much as it was a $100 frys special...

the hardware vendor did not care about quality. cardboard chads were stuck under the resistive touch screen and you could see and feel bumps as you moved your finger over. horrible! they released product like that.

worse, the pad went into an annoying crash/reboot cycle. I went into one gui screen, tried to change some values and it crashed/rebooted. I was just configuring something, not even USING the damned tablet.

apple is evil, its true; but at least they ensure a reasonable experience on their tablet. its hella expensive and locked down, but at least they don't ship product with junk under the screen and with glaring showstopper bugs.

I know you can blame the vendor for shoddy hw and sw quality, but it does speak to google that they are so lax with the vendors. a bit of tighter control would have benefited them. the fragmentation is also a fall-out of their lack of management on the android platform.

android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).

Re:Cloud and Google (0, Troll)

clang_jangle (975789) | more than 3 years ago | (#36155028)

android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).

I'm with you, it's dreadful. My friend has a verizon Droid which has made random calls and sent random texts since new. It flat-out astonishes me that people not only put up with shenanigans like that, but they will aggressively try to shout down anyone who mentions it. When it comes to Android, the emperor simply has no clothes. Of course, the same thing has been true of microsoft's offerings since the beginning. Doesn't seem to hurt adoption, so long as the marketing hits the right spot. But I strongly prefer competent systems.

Re:Cloud and Google (1)

crashumbc (1221174) | more than 3 years ago | (#36155220)

Sounds like a OE problem to me, I've had a Incredible for over a year and never had problems like that... Tell your friend to stop blaming his phone for his drunk shenanigans? (BTW there's even an app in the google market to stop him from drunk dialing search for "drunkblocker")

Re:Cloud and Google (1, Troll)

clang_jangle (975789) | more than 3 years ago | (#36155286)

Or you could unjustifiably assuming things. I've been in the room when her Droid was on the table with no-one anywhere near it and it called me. :P

Re:Cloud and Google (1)

clang_jangle (975789) | more than 3 years ago | (#36155796)

Speaking of Android concerns there's also the swiftness with which posts like the one I made above get modded "troll". Seems to me there's big google money being spent on astroturfers, or perhaps Taco and Co have signed a special contract...

Re:Cloud and Google (1)

crashumbc (1221174) | more than 3 years ago | (#36155942)

the internet has matured, people are much faster at spotting trolls now? IF her phone was really randomly dialing people it was defective and should have been returned...

Re:Cloud and Google (0)

Anonymous Coward | more than 3 years ago | (#36156016)

Now STFU, [google.com] , troll.

Re:Cloud and Google (1)

scot4875 (542869) | more than 3 years ago | (#36156628)

That's all it takes for a STFU [google.com] ?

Re:Cloud and Google (1)

npsimons (32752) | more than 3 years ago | (#36155684)

My friend has a verizon Droid which has made random calls and sent random texts since new.

And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly. My anecdote cancels yours out. Perhaps your friend's problems are with Verizon or Motorola? Both have been known to screw customers over, and shoddy products and service from them wouldn't surprise me. Also, if it's really an Android problem, file a bug report. Bitching on slashdot won't do anything.

PS - I've got mod points, but decided to respond. Problems do need to be pointed out and fixed, but bitching on slashdot will do jack shit.

Re:Cloud and Google (0)

Anonymous Coward | more than 3 years ago | (#36155714)

Oh, did you miss the part where it's not the poster's phone? I don't think making an observation and raising a concern qualifies as "bitching", either.

Re:Cloud and Google (1)

willoughby (1367773) | more than 3 years ago | (#36156302)

And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly.

Does that include the GPS? I just returned one yesterday because the GPS wouldn't work.

Re:Cloud and Google (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36156638)

Ditto. However the replacement myTouch 4G hasn't given me any problems yet.

AOSP Android vs. OHA Android (5, Informative)

tepples (727027) | more than 3 years ago | (#36155230)

it does speak to google that they are so lax with the vendors.

There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.

Re:Cloud and Google (2)

Ender_Stonebender (60900) | more than 3 years ago | (#36155318)

You bought a tablet at a price point where you could expect a dog's breakfast, and you're surprised that you got one? I fail to understand what you think is wrong with the world here. There are always going to be hardware makers that are willing to put out shoddy (and possibly knock-off) products at super-discount prices.

I suspect that you bought the tablet on the self-fulfilling prophecy "Android is terrible, even this cheap tablet can't do anything properly!" Next time, either spend 10 minutes playing with the device in the store, or spend enough money to get a product that goes through proper quality assurance (both hardware and software).

I've had an Android phone for most of year now - never had a problem with it until I loaded CyanogenMod, and even the one problem I have had is relatively minor and easily worked around.

Re:Cloud and Google (1)

element-o.p. (939033) | more than 3 years ago | (#36157014)

What do you expect? If you release software and allow independent vendors to install your software on their hardware, you will get a wide range of products, from cheap and shoddy to pretty darned nice. If you only want to shell out $100 for a tablet, well, you get what you pay for. OTOH, I have a $450 Dell Streak 7 that I'm reasonably happy with. Fit and finish are pretty nice, the screen is sharp and clear, and the tablet works pretty well. There are a few apps that work fine on my HTC Hero but won't work on the Streak (Astro file manager, Google Sky); I assume that's because they were designed for the smaller screen of a phone and don't know how to scale to the larger tablet size. However, I have seen progress on that front even in the few weeks I've owned the Dell. ConnectBot wouldn't work when I first tried to install it. I tried it again last week, and the force-close on start-up on the tablet had been fixed -- now it works quite well (and the larger keyboard on the tablet makes it much nicer to use than on the Hero).

It seems to me that Apple provides a one-size-fits-all approach. They provide a premium product at a premium price. If you can afford the ${iDevice} you'll probably be happy with it. Android allows you to buy a product that fits your budget. You can get a cheap device, but you'll probably get a cheap experience. You can buy a higher-end device and get a higher-end experience. Or you can buy at the point in between where your budget and your needs intersect. I don't see that as a bad thing.

Re:Cloud and Google (0)

jellomizer (103300) | more than 3 years ago | (#36155014)

Because it is pointing out the Original Argument about security that the OSS zealots feared. Linux isn't that much more secure the only reason it gets attacked less is because it is less popular. As distributions of Linux get popular they become targets and get hacked.

As much as we hate the Apple Store block of apps, it does help protect us in terms of security.

Re:Cloud and Google (1)

clang_jangle (975789) | more than 3 years ago | (#36155078)

You really are old enough to should know better than to try that hoary, ancient troll. Maybe if you learn more about how linux systems work you'll get over the delusion that the only thing wrong with windows security is "it's too popular".

Re:Cloud and Google (1)

PitaBred (632671) | more than 3 years ago | (#36155198)

Yes, just like their archiving of your location data keeps you more secure... Apple [wired.com] is [mobilecrunch.com] totally [reuters.com] perfect [arstechnica.com] , right? They wouldn't EVER let anything unknown or an app that did more than it said into the app store [iphonetutorialvideos.com] , right?

This is simply an implementation flaw. Shit like that happens on ANY system. It's just that with open systems you actually learn about it. Are you SURE that you know all the security weaknesses in your iProduct? Are you sure Apple is telling you everything? How can you be?

Re:Cloud and Google (2)

Graham J - XVI (1076671) | more than 3 years ago | (#36155560)

None of those are remote exploits for in-box software.

Re:Cloud and Google (1)

element-o.p. (939033) | more than 3 years ago | (#36157096)

How is this a "OMG -- Linux is inherently insecure!!!" argument? The developer of software on a Linux platform is stupidly passing clear-text, confidential data across a WiFi connection. Guess what? If you set up a POP3 e-mail account on an Apple product with no encryption on your user name and password between you and the e-mail server, then try to connect to your POP3 e-mail on a shared network (for example, through an Ethernet hub), you'll be able to sniff those credentials, too. Did Apple fail to "protect you in terms of security" there? That's not an OS issue, that's an app issue.

Re:Cloud and Google (1)

scot4875 (542869) | more than 3 years ago | (#36156510)

Is it just me or does Android seem to have these security problems come out almost every day?

No, it's just you.

--Jeremy

Pwnd Linucks on teh Fone!! (-1)

Anonymous Coward | more than 3 years ago | (#36154692)

lol.. maybe when Linux is done ruining my phone it can ruin my desktop.

I think I'll stick with my Windows Phone & PC.

Re:Pwnd Linucks on teh Fone!! (0)

Anonymous Coward | more than 3 years ago | (#36154742)

Funny, I thought you were using TrollOS.

Re:Pwnd Linucks on teh Fone!! (0)

clang_jangle (975789) | more than 3 years ago | (#36154766)

Yes, you just do that. Meanwhile, those of us with more than two brain cells to rub together will stick with anything but windows.

Doesn't sound like Android is that relevant (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36154790)

Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?

Wow (0)

Anonymous Coward | more than 3 years ago | (#36154810)

One of my biggest fears when applying for coding jobs for projects such as "developing a shopping cart" or "developing a secure ____" or pretty much anything involving databases was that I wouldn't be vigilant enough about working out all the potential security issues involved. After reading this article, I feel like maybe I should have applied to more of these positions. An easily-capturable device/session independent token that's happy to be transmitted cleartext over an unencrypted wireless connection? I sure couldn't do much worse.

Re:Wow (1)

Cajun Hell (725246) | more than 3 years ago | (#36155206)

If you actually feel insecure about your abilities as a designer/programmer for secure systems, then you're probably 10x better than the people who actually make the stuff everyone uses. ;-)

Solution: Wrap your Android in aluminum foil... (2)

digitaldc (879047) | more than 3 years ago | (#36154842)

...and turn off Wi-Fi. Don't let your 'smartphone' become a 'dumbphone'

Only use it for emergencies and throwing angry birds.

Just update your phone. (3, Informative)

Random2 (1412773) | more than 3 years ago | (#36154860)

As it says in TFA:

"The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."

So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.

Re:Just update your phone. (0)

Anonymous Coward | more than 3 years ago | (#36155112)

that update is available to a small percentage of phones.

Re:Just update your phone. (1)

h4rr4r (612664) | more than 3 years ago | (#36156218)

Really?
CM7.1 nightlies seem available on many phones.

Re:Just update your phone. (2)

thePowerOfGrayskull (905905) | more than 3 years ago | (#36155158)

And don't install apps that need access to the network, since you don't have the ability to veto them on a per-connection basis* . (Or don't use unencrypted wifi, which may be a more practical answer.)

* unlike BB, which gives you very fine grained control over the connections each application makes -- if you take the time to use it.

Re:Just update your phone. (5, Insightful)

delinear (991444) | more than 3 years ago | (#36155184)

If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.

Silver Lining (1)

ThatsNotPudding (1045640) | more than 3 years ago | (#36155884)

If Google had any guts, they would push out updates without the greedy, trogliditic carriers involvement, using the unassailabe justification of security.

Of course in retaliation, the a-hole carriers would suddenly switch to Bing even on Android devices.

Re:Silver Lining (3, Informative)

cecom (698048) | more than 3 years ago | (#36156410)

Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.

Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.

When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?

Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.

Re:Silver Lining (0)

Anonymous Coward | more than 3 years ago | (#36157046)

If Microsoft does that with wp7, why can't Google do the same?

Re:Just update your phone. (1)

drinkypoo (153816) | more than 3 years ago | (#36156660)

Google can't be in the position of having to personally support every phone. Sure, they could probably do it TODAY, but it puts them in a poor position in the future.

Apple (1)

Anonymous Coward | more than 3 years ago | (#36156830)

This is what Apple did: stood up to the carriers and said, "We're in charge, not you losers with a track record of crippling phones.". And people hated them for it.

Android was the answer. Except that its end customers are the carriers, not users.

Google: Just buy a new phone! (0)

Anonymous Coward | more than 3 years ago | (#36155494)

Google would have you buy a new phone to get the security update. This is because Android is "open".

Oh yeah? (4, Interesting)

Kamiza Ikioi (893310) | more than 3 years ago | (#36155606)

You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.

Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.

I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.

Re:Oh yeah? (1)

h4rr4r (612664) | more than 3 years ago | (#36156268)

Unlucky?
You bought the phone knowing this would happen, and you call yourself unlucky?

I have a motorola Droid 1 running 2.3.3 and will be running 2.3.4 as soon as CM7.1 hits RC.

Re:Oh yeah? (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36156766)

I agree that luck may not be involved when it comes to actually rooting your phone. However, there is some luck with getting reliable service from your phone after it is rooted. I had issues with my previous phone after I rooted it. The problems outweighed any possible advantages so when I got my replacement phone, I decided against rooting it.

I am glad that your luck is better than mine.

Re:Oh yeah? (1)

h4rr4r (612664) | more than 3 years ago | (#36156892)

Rooting the phone does not impact service in anyway. The hardware and software used for that is not even related.

Hell, you can always flash a backup anyway.

Re:Oh yeah? (2)

Zebedeu (739988) | more than 3 years ago | (#36156992)

You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol.

Any of the Nexus devices. Do I get a cookie now?

I don't blame android, but I sure as hell won't ever buy Motorola again.

Actually I blame you and everyone who I see complaining on forums. It was an acceptable thing to feel betrayed by the manufacturer one or two years ago when Android devices first started coming out and the promises of openness weren't fulfilled, but nowadays you'd really have to make almost no research before buying your smartphone in order to not know the situation with the updates.

If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes, and a clear message would've already been sent to the manufacturers that people want open devices.

But as it stands, people who value openness only have one real choice, and we still have to put up with the whiners every time an Android story pops up.

Re:Oh yeah? (3, Insightful)

iluvcapra (782887) | more than 3 years ago | (#36157400)

One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.

Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments [thisismynext.com] . These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.

I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.

Re:Oh yeah? (1)

Lectoid (891115) | more than 3 years ago | (#36157124)

Huh, I have a Droid X and my version says 2.3.3. Granted I put an early release of Gingerbread on my phone, but it's a leaked release of a version that's coming out very soon anyways.

Re:Oh yeah? (0)

Anonymous Coward | more than 3 years ago | (#36157392)

LG electronics and Sprint.

I've owned my phone for about 6 months, and they've already pushed two updates to it.

Re:Just update your phone. (1)

Belial6 (794905) | more than 3 years ago | (#36156840)

I love my Android phones, but suggesting that people upgrade their OS is simply not a realistic answer. Vendor locking means that the vendor decides when you upgrade. And rooting is not the answer for the majority of users either.

Re:Just update your phone. (1)

blair1q (305137) | more than 3 years ago | (#36157462)

Nexus One phones on T-Mobile got the 2.3.4 update a couple of weeks ago.

Surprise? (0)

Anonymous Coward | more than 3 years ago | (#36154878)

Unsecured WiFi and authentication tokens sent over unencrypted connections are vulnerable. Interesting, but shouldn't that have been slightly obvious? I'm not getting at these guys for trying to demonstrate something but the original article calling it an "android vulnerability" seems a little excessive.

The suggested remedies are using HTTPS for login purposes (duh?), using the latest version of Android possible (unfortunately not always a choice the user has) and not using unsecured WiFi (duh!).

Tonight news at 11! (0)

Rotten (8785) | more than 3 years ago | (#36154968)

"A hacker could collect a large store of tokens by first setting up a Wi-Fi access point with the same SSID of an unecrypted wireless network....."

OMG REALLY!?

Rule 6: Don't use a unsecure wifi. (0)

Anonymous Coward | more than 3 years ago | (#36154972)

Come on!
That's a basic rule that everyone should know !

No matter it's a Android, a iPhone, or laptop...

Ok I agree that using HTTP instead of HTTPS it's bit lame...

Rule 7: use Android, not Google services (1)

Cajun Hell (725246) | more than 3 years ago | (#36155234)

Google makes a decent (not great, but decent) OS, so use that. But for fuck's sake, don't use it for what they want you to use it for.

And? (3, Insightful)

thePowerOfGrayskull (905905) | more than 3 years ago | (#36155122)

And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.

Re:And? (1)

psydeshow (154300) | more than 3 years ago | (#36156048)

What kind of idiot uses unencrypted WiFi on their phones these days?

Any idiot who wanders into range of an unencrypted WiFi access point with the same SSID as one of their trusted, encrypted access points.

It's not like your phone is going to be all "Hey, why isn't this network encrypted anymore?" and refuse to connect, or even bring it to your attention.

Re:And? (1)

chemicaldave (1776600) | more than 3 years ago | (#36156312)

I don't know about that. Mine has a "Notify me when an open network is available" option.

Re:And? (1)

gknoy (899301) | more than 3 years ago | (#36156882)

Interesting. How can I configure it not to do that?

Re:And? (1)

Anonymous Coward | more than 3 years ago | (#36156666)

You don't use public wifi hotspots? You need to get out of your mom's basement more =]~

Re:And? (2)

TheNinjaroach (878876) | more than 3 years ago | (#36157130)

What kind of idiots implement token based authentication over unencrypted HTTP streams?

Re:And? (0)

Anonymous Coward | more than 3 years ago | (#36157404)

Convenience of Starbucks (or other stores') free wifi when you don't have (good) 3G coverage?

Why not do even better? (1)

bogaboga (793279) | more than 3 years ago | (#36155130)

Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

Re:Why not do even better? (1)

savanik (1090193) | more than 3 years ago | (#36155456)

Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.

Because in order to eliminate the risk entirely, you will have to shoot the user in the head. They are the largest security risk in any scenario. Requiring encryption won't eliminate your mom from handing you the already logged-in device to troubleshoot it for her.

Firesheep? (1)

dido (9125) | more than 3 years ago | (#36155304)

Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

Re:Firesheep? (1)

psydeshow (154300) | more than 3 years ago | (#36156078)

Yes, but the point is that with these apps, you don't really have a choice. They connect to Google services in the background, using unencrypted channels. The end user doesn't realize that this is the case.

Re:Firesheep? (3, Insightful)

jeffmeden (135043) | more than 3 years ago | (#36156182)

Isn't this more or less the same thing that Firesheep [codebutler.com] does, and why the EFF is urging everyone to use HTTPS wherever possible?

Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage [gawker.com] a compromised gmail account can cause.

Wrap it up, Androidailures. (-1)

Anonymous Coward | more than 3 years ago | (#36155858)

Your OS is a piece of shit.

VPN? VPN. (2)

VortexCortex (1117377) | more than 3 years ago | (#36155902)

When abroad with my laptop/phone/tablet I use open unencrypted wifi, but I tunnel all of my data through an encrypted VPN connection to my home network, then out from there. Thus, the jag-off running "ssl-strip" or "script-kiddie sheep" on the local LAN can see only my encrypted stream even if the sites I visit are not using SSL.

I thought we had all learned this lesson a long time ago -- Encrypted data BEFORE it leaves your computer, especially when connecting via untrusted WIFI.

Android > Wireless And Network settings > VPN Settings > Add VPN.

"Yeah, but it's difficult to set up my own VPN. What about computer illiterate users?"
"You expect my grandma to do this?"

No. I don't care about anyone else's competency or security. Use VPN or only SSL websites on untrusted WIFI or face the consequences.

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

Re:VPN? VPN. (1)

drinkypoo (153816) | more than 3 years ago | (#36156698)

Actually, it's pretty easy to set up IPSEC on Windows... at least on Windows 2000 or later, and Pro or better. Using a cert is kind of annoying but using PSK is simple enough.

Re:VPN? VPN. (1)

Bill_the_Engineer (772575) | more than 3 years ago | (#36156816)

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

So is this advice for the user or the creator of the API that sends these nuggets of information from the device?

Re:VPN? VPN. (2)

Belial6 (794905) | more than 3 years ago | (#36157018)

In theory you are right. Setting up a home VPN in trivial. Just buy one of the many routers that support it out of the box. Buffalo even sells routers with official support for DD-WRT. Sutting up VPN consists basically of putting in your username and password. For the large part of the population with dynamic DNS, most routers also support DynamicDNS services. If people can figure out how to sign up for Facebook, they can figure out how to sign up for DynamicDNS. My problem is that currently the VPN client in Android is all but useless. It will not hold a stable connection, and and every time it disconnects, it requires that you exit your application, and go back in to the VPN settings to reentery your password. I REALLY want Google to implement a good VPN client. I want to be able to set my phone to always be connected to my VPN. If the VPN connection drops, it should automatically reconnect. It should work like the VPN client in my laptop.

Re:VPN? VPN. (2)

Belial6 (794905) | more than 3 years ago | (#36157532)

This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.

Sorry to respond to the same post twice, but I just noticed this gem. Most people don't know "shit" about what is in the very walls of their house. They don't know "shit" about electricity, and they don't know "shit" about combustion engines. If people left things alone that they didn't know "shit" about, they would all literally be living in caves like animals. If even that.

What Android users can do: B: (1)

sanermind (512885) | more than 3 years ago | (#36156348)

Never turn on account sync in the first place. If you -do- have a gmail address, create a separate one just for your phone (since google makes it mandatory to have a gmail/google account to use android, for -some- reason I can't imagine...)

Disable all 'back up my data to google' options in the sub-sub menus.
Problem solved. Your phone won't have any account credentials worth worrying about, outside of through the browser (standard cross-site-scripting exploits, etc) or reasonable apps that ask for no permissions beyond internet (connectbot for ssh, etc)

Swiper no swiping! (0)

Anonymous Coward | more than 3 years ago | (#36156572)

Swiper no swiping!

...of Ulm (-1)

Anonymous Coward | more than 3 years ago | (#36156602)

Obviously researched by: Johann Gambolputty-de-von-Ausfern-schplenden-schlitter-crass-cren-bon-fried-digger-dingle-dangle-dongle-dungle-burstein-von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelter-wasser-kurstlich-himble-eisenbahnwagen-guten-abend-bitte-ein-nürnburger-bratwürstel-gespurten-mitz-weimache-luber-hundsfut-gumeraber-schönendanker-kalbsfleisch-mittleraucher-von-Hautkopft of Ulm.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...