Nearly all Android phones ‘leak’ sensitive personal data, tests show

Google Android LogoGoogle’s privacy woes just got worse. According to a study by researchers at a German university, more than 99 percent of all smartphones that run Google‘s Android operating system can easily be infiltrated by mobile hackers. The attackers can then use the “leaked” data to impersonate the rightful user, and access online accounts, such as Google Calendar, Twitter and Facebook.

According to the University of Ulm researchers, Bastian Konings, Jens Nickels, and Florian Schaub, the Android vulnerability is due to an improper implementation of the ClientLogin protocol, which is used in Android versions 2.3.3 and earlier, reports The Register. Once a user submits his or her login information, ClientLogin receives an authentication token that is sent as a cleartext file. Because the authentication token (authToken) can be used repeatedly for up to 14 days, hackers can access the information stored in the file, and use it to do their nefarious bidding.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” write the researchers on their blog. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

As bad as this sounds — indeed, is — for Android users, this type of attack can only be waged when the Android device is using an unsecured network, like a Wi-Fi hotspot, to send data. The researchers say hackers could wage such an attack when a device is connected to a network that is under their control.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” write the researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

The researchers suggest a number of ways to fix the issue, for app developers, Google and Android users alike. Developers whose apps use ClientLogin “should immediately switch to https,” the researchers say. And Google should limit the life of the authentication token, and restrict automatic connects to protected networks only. Android users should update their devices to 2.3.4 as soon as possible, they say, as well as turn off automatic sync when connecting with Wi-Fi, or avoid unsecured Wi-Fi networks entirely.

Mobile

Smartwatch sales soared in 2018, with Apple leading the charge

The NPD Group, a market research organization, has reported smartwatch sales soared in 2018. Apple is leading the charge, but it's clear there's still room in the market for competitors, as Samsung and Fitbit also did well.
Gaming

How to keep a PS4 in your pocket with the PlayStation Mobile app

Sony built the PlayStation 4 with smartphone and mobile integration in mind. Take a look at our guide for connecting your smartphone or tablet to a PS4, so you can get the most out of the system while on the go.
Computing

Enjoy Windows on a Chromebook with these great tips and tricks

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so in case you're looking to nab some Windows-only software.
Mobile

Worried about extra data charges? Here's how to check your usage on an iPhone

It's common to get a little nervous about nearing data limits. Keep your peace of mind by checking how much data your iPhone is using. Our guide on how to check data usage on an iPhone helps you stay in control.
Photography

Tight on space? Here’s how to transfer photos from an iPhone to a computer

Never lose any of your cherished selfies or family vacation photos from your iPhone again by learning how to transfer photos from your iPhone to a computer, whether you want to use a cable or wireless transfer.
Mobile

Love Playmoji pack adds animated Valentine’s stickers to your Pixel photos

Valentine's Day is here, and to celebrate, Google has added the "Love Playmoji" pack to the Playground feature on its Google Pixel camera. The new feature will add cute AR-driven extras to your Pixel photos.
Product Review

Nokia’s 3.1 Plus is an affordable phone that’s crippled by its camera

The Nokia 3.1 Plus is HMD Global’s first smartphone to be sold by a U.S. carrier in-store. It’s only available on Cricket Wireless right now, which underlines its focus on affordability. Should you buy a phone this affordable?
Wearables

Galaxy Watch Active isn't official yet, but you can see it in Samsung's own app

Samsung may be about to resurrect its Sport line of smartwatches under a new name: The Galaxy Watch Sport Active. Leaks and rumors are building our picture of the device at the moment.
Mobile

Stop buying old tablets, says Samsung, buy the new Galaxy Tab S5e instead

Samsung has launched the Galaxy Tab S5e -- the E is for Essential -- a reasonably priced tablet that includes many of the features we like from the Tab A 10.5, and the Tab S4. Here's what you need to know.
Mobile

Bag yourself a bargain with the best budget tablets under $200

The battle for your budget tablet affections is really ramping up. Which tablet, costing less than $200, should be commanding your attention? We take a look at some different options for the budget-conscious.
Wearables

Focals succeed where Google Glass fumbled (but do we really need smartglasses?)

It’s been seven years since Google took the wraps off Google Glass. Now, we’re finally getting a modern-day equivalent we want to wear. North’s Focals combine subtle style with an intuitive interface to craft smartglasses you’ll…
Home Theater

Hi-res streaming audio service Qobuz arrives in U.S., threatens Tidal’s monopoly

For several years, Tidal enjoyed a monopoly on hi-res music streaming in the U.S. Now, French company Qobuz is here to offer some competition with a variety of monthly plans starting at $10 a month.
Mobile

OnePlus 6T vs. Honor View 20: We compare the cameras in these ‘flagship killers’

For less than $600, you can buy either the OnePlus 6T or the Honor View 20, two extremely capable smartphones with plenty of exciting features. But which one has the best camera? We found out on a recent trip to France.
Mobile

The best Samsung Galaxy S9 Plus cases to keep your titanic phone safe

The new Samsung Galaxy S9 Plus is a gorgeous device, with one of the best dual-lens cameras we've ever seen. Keep your titanic device safe and scratch-free with the best Samsung Galaxy S9 Plus cases.