Close to 99 per cent of all Android devices are prone to data theft, especially of the username and passwords of Google services, German researchers have reported.
It was found that Android devices running on 2.3.3 or older versions are particularly susceptible as the client login authentication process used in these versions is insecure.
In fact, the vulnerability exists not just for Google apps but for any apps that don’t use a ClientLogin protocol (the protocol for logging in to your Google account) only on https (secured).
The researchers also recommended that Google reduce the lifespan of the authentication token to minimise the risk for users. They also suggest some simple steps for the users such as turning off automatic synchronisation; upgradation to Android 2.3.4; and avoiding open WiFi networks.
In fact, just when your phone checks for any open WiFi network, the Android settings should be prompted to ask for your permission, so that your system doesn’t use any networks you don’t trust.
Android devices are particularly insecure on open WiFi networks.
Android apps use ClientLogin for authentication purposes, in which the username and password are passed through the WiFi network.
The researchers said the Google Calendar apps were especially prone to interception by unauthorised people who could easily impersonate others and misuse the data thus gathered.
At the time of login, the Google service asks for an authentication token, which is known as authToken. This can be used for later requests for up to two weeks.
When used over an unencrypted service, sensitive data can be captured by unauthorised people. The problem is that the vulnerable version 2.3.3 is present on most Android devices, thus making the most of users’ vulnerability. Android 2.3.4 uses https in Google Calendar, but Picasa data continues to be unencrypted.