Skip to main content
  1. Home
  2. Mobile

Nearly all Android phones ‘leak’ sensitive personal data, tests show

By

Google Android LogoGoogle’s privacy woes just got worse. According to a study by researchers at a German university, more than 99 percent of all smartphones that run Google‘s Android operating system can easily be infiltrated by mobile hackers. The attackers can then use the “leaked” data to impersonate the rightful user, and access online accounts, such as Google Calendar, Twitter and Facebook.

According to the University of Ulm researchers, Bastian Konings, Jens Nickels, and Florian Schaub, the Android vulnerability is due to an improper implementation of the ClientLogin protocol, which is used in Android versions 2.3.3 and earlier, reports The Register. Once a user submits his or her login information, ClientLogin receives an authentication token that is sent as a cleartext file. Because the authentication token (authToken) can be used repeatedly for up to 14 days, hackers can access the information stored in the file, and use it to do their nefarious bidding.

Recommended Videos

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” write the researchers on their blog. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

As bad as this sounds — indeed, is — for Android users, this type of attack can only be waged when the Android device is using an unsecured network, like a Wi-Fi hotspot, to send data. The researchers say hackers could wage such an attack when a device is connected to a network that is under their control.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” write the researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

The researchers suggest a number of ways to fix the issue, for app developers, Google and Android users alike. Developers whose apps use ClientLogin “should immediately switch to https,” the researchers say. And Google should limit the life of the authentication token, and restrict automatic connects to protected networks only. Android users should update their devices to 2.3.4 as soon as possible, they say, as well as turn off automatic sync when connecting with Wi-Fi, or avoid unsecured Wi-Fi networks entirely.

Topics
Andrew Couts
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
How to turn off call forwarding on iPhone and Android
A person holding the Apple iPhone 15 Plus, showing the camera.

If you’re mysteriously missing calls on your iPhone or Android smartphone, it may be because call forwarding is activated on your line. In that case, all your incoming calls could be going somewhere else.

Call forwarding shouldn’t typically be active unless you’ve specifically turned it on, but another person or app may have done so without your knowledge. And since call forwarding is a carrier feature, it could still be enabled on a line you inherited from someone else, even if you’ve swapped their SIM card into your phone or transferred it to a new account.

Read more
Best iPhone 14 deals: Unlocked and refurbished
The Apple iPhone 14 Pro's camera module

While the iPhone 15 may be Apple’s most recent iPhone release, that only makes the iPhone 14 a better way to save. The iPhone 14 isn’t far removed from being among the best phones on the market, and it’s still a powerhouse option for most smartphone users. There are a lot of ways to save on an iPhone 14, with shopping refurbished models being one of the best. You'll get a good warranty and a large return window shopping refurbished with most major retailers, which makes them some of the best iPhone 14 deals you'll find. With so many to take advantage of right now, we thought we’d do the heavy lifting and put all of the best iPhone 14 deals together in one place. Reading onward you’ll find some impressive savings on all models of the Apple iPhone 14.
Apple iPhone 14 -- from $479, was $699

With the Apple iPhone 14 you’re getting what is still one of the most popular smartphones on the market. This is the iPhone 14 model that’s meant for everyone. It holds back a few features you can only get on the Pro model, but it still has an impressive 6.1-inch display, an impressive camera, and dozens of ways to personalize your iOS experience with widgets and fonts. The phone can reach up to 26 hours of battery life on a single charge, and it’s powered by Apple’s A15 Bionic chip. Face ID, emergency SOS via satellite, and super fast 5G cellular connectivity round out the top features of the Apple iPhone 14.
Buy Refurbished at Amazon — from $479

Read more
How to reset Apple AirPods and AirPods Pro
Apple AirPods 3.

There's plenty to love about Apple's AirPods. The glossy white ear speakers are among some of the best Wireless earbuds money can buy, which is why so many people have them. But like all consumer tech items, you may run into a few bugs or glitches with your AirPods from time to time, or perhaps you're selling off your original AirPods Pro to buy the latest model, the AirPods Pro 2 with USB-C.

Read more