Skip to main content

Nearly all Android phones ‘leak’ sensitive personal data, tests show

Google Android LogoGoogle’s privacy woes just got worse. According to a study by researchers at a German university, more than 99 percent of all smartphones that run Google‘s Android operating system can easily be infiltrated by mobile hackers. The attackers can then use the “leaked” data to impersonate the rightful user, and access online accounts, such as Google Calendar, Twitter and Facebook.

According to the University of Ulm researchers, Bastian Konings, Jens Nickels, and Florian Schaub, the Android vulnerability is due to an improper implementation of the ClientLogin protocol, which is used in Android versions 2.3.3 and earlier, reports The Register. Once a user submits his or her login information, ClientLogin receives an authentication token that is sent as a cleartext file. Because the authentication token (authToken) can be used repeatedly for up to 14 days, hackers can access the information stored in the file, and use it to do their nefarious bidding.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” write the researchers on their blog. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

As bad as this sounds — indeed, is — for Android users, this type of attack can only be waged when the Android device is using an unsecured network, like a Wi-Fi hotspot, to send data. The researchers say hackers could wage such an attack when a device is connected to a network that is under their control.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” write the researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

The researchers suggest a number of ways to fix the issue, for app developers, Google and Android users alike. Developers whose apps use ClientLogin “should immediately switch to https,” the researchers say. And Google should limit the life of the authentication token, and restrict automatic connects to protected networks only. Android users should update their devices to 2.3.4 as soon as possible, they say, as well as turn off automatic sync when connecting with Wi-Fi, or avoid unsecured Wi-Fi networks entirely.

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
The Samsung Galaxy Z Fold 6 may cost more than you feared
The Galaxy Z Fold 4 (left) and Galaxy Z Fold 5 rear panels.

The Samsung Galaxy Z Fold 4 (left) and Galaxy Z Fold 5 Andy Boxall / Digital Trends

Samsung is slated to unveil the Galaxy Z Fold 6 -- along with the Z Flip 6, Galaxy Watch 7 series, and the Galaxy Ring -- sometime next month. But ahead of the formal announcement, a flurry of leaks has given us a fairly good idea of the massive design change that the Fold 6 will undergo. The improvements, however, will come with a price hike, as a new leak points out.

Read more
The Galaxy Z Flip 6 price just leaked, and it’s bad news
The Samsung Galaxy Z Flip 5's hinge.

We have bad news for those who hope to purchase the Samsung Galaxy Z Flip 6 when it's released, as it looks like the phone will be more expensive than the Galaxy Z Flip 5, which it will replace.

According to SmartPrix, the Galaxy Z Flip 6 will cost $1,100 for the 256GB model and $1,220 for the 512GB model, representing a $100 price increase over the previous model. Earlier today, we reported that SmartPrix also anticipates the same price hike for the Galaxy Z Fold 6, which could start at a whopping $1,899. Samsung will likely announce the Galaxy Z Flip 6, Galaxy Z Fold 6, and Galaxy Watch 7 at an Unpacked event in Paris, France, on July 10. All three new products should be available to the public soon after. We're also excited for the event as it may be the launchpad for the Galaxy Ring smart ring.

Read more
iOS 18 has ended the iPhone vs. Android debate
Updated interface of Siri activation.

“I just have to see anything particularly useful that AI can do,” a tech journalism veteran told me ahead of Apple’s WWDC 2024 event. To a large extent, I agree with the sentiment, even though I have pushed consumer-grade AI tools in every scenario that my hardware selection allowed. By the time Apple’s event concluded, I had a strong feeling that Apple may just have delivered the most practical dose of AI on a smartphone.

We have entered the era of Apple Intelligence on iPhones. I will drop the bad news first: The whole AI platter has been served only on the latest and greatest “Pro” iPhones. They are not even available for the iPhone 15 or the iPhone 15 Plus. It seems the silicon and the onboard NPU are to blame, or maybe it's all-important memory restrictions. Similar restrictions apply for iPads, which need at least an M-class processor.

Read more