Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | How to Cut the Cable Cord | Best Fitness Trackers Under $50 | Complete Guide to Facebook Privacy

Top News Stories

author photo

Android Security Flaw Could Expose You to Data Theft

by on May 18, 2011
in Phones and Mobile, News, Home Safety & Security, Blog :: 10 comments

Researchers at the University of Ulm have identified a security risk with Android phones that could allow someone to access your calendar and contact information over unsecured Wi-Fi networks. Once they gain access to this data, they could use your contacts to phish for personal information or modify a contacts email address so that you unwittingly send potentially confidential information to the intruder. Other apps, such as Picasa web albums, are also vulnerable, and there may be more. All Android phones running version 2.3.3 or earlier (which is basically every Android phone) is at risk.

The way this new threat works is for a bad guy to set up a wireless network with the same name ("SSID") as a popular unencrypted network, for example the Starbucks or airport public Wi-Fi network names. If you've connected to this network in the past, your phone will automatically reconnect to these networks in the future. Except this time, the network it connects to is an imposter.

Once on the fake network, the bad guy can "sniff" the security tokens Android uses to communicate with Google Calendar and Contacts and use them for his or her own nefarious purposes.

Unfortunately, the only way to fix this vulnerability is for you to upgrade your phone to Android 2.3.4 or above. And with phone manufacturers so far behind on updating devices to the latest versions of Android, that's just not possible for most devices.

So, instead, it's up to us to exercise vigilance, and there are two ways to do that on your phone:

1. Switch off automatic synchronization in the settings menu when connecting with open Wifi networks. To do that, go to "Accounts and sync" within your settings menu and turn off Background data.
2. After you connect to a popular Wi-Fi network, tell your phone to "forget" the network. From the settings menu, go to "Wireless and network", "Wi-Fi settings", and long press the network name.

The best protection is to avoid open Wi-Fi networks on Android phones. That's not a very practical solution, but this is far from the first time serious security risks have been associated with open Wi-Fi networks. Earlier in the year, a very similar security risk was identified for people accessing Facebook, Twitter and many other popular sites through unencrypted networks. And it's likely there are more risks that haven't been discovered yet.



Discussion loading

gravatar

Hi All,

From Emily on May 18, 2011 :: 10:38 am

Hi All,
  I am wondering how to find out which Android version my phone is running. Is this on my phone or do I have to call my phone company? I noticed that my phone’s WiFi is off, so hopefully that will help protect? Thanks grin

Reply

avatar

It's easy to check.

From Josh Kirschner on May 18, 2011 :: 11:42 am

Go to Settings and click “About Phone” and it will tell you your Android version (may say Firmware Version on Samsung devices).

If you never use public Wi-Fi hotspots, this won’t be an issue for you.

Reply

gravatar

Thanks!

From Emily on May 18, 2011 :: 11:45 am

I’m running 2.2.2.

Reply

gravatar

thanks for the info -

From Tracy on May 18, 2011 :: 2:37 pm

thanks for the info - I just bought a Droid Incredible 2 a few weeks ago - haven’t even figured it all out yet! I’ll turn off the wifi .

Reply

gravatar

Access Tokens

From Don Clark on April 30, 2014 :: 9:42 pm

Is this why some Android users are experiencing FB access token theft?

Reply

avatar

Do you have a reference?

From Josh Kirschner on April 30, 2014 :: 9:48 pm

Where are you seeing stories of Facebook Android tokens being stolen? Would be curious to research further.

Reply

gravatar

On Facebook

From Don Clark on May 01, 2014 :: 2:14 pm

Several friends on Facebook that have Androids received notification yesterday (Apr 30). One has been temporarily blocked from “liking” anything. She sent me a screen shot of the notification.

Reply

avatar

Can you provide?

From Josh Kirschner on May 01, 2014 :: 2:45 pm

Can you post the exact wording of the message here or send me the screenshot at josh at techlicious dot com?

Reply

avatar

Here's what I think

From Josh Kirschner on May 13, 2014 :: 4:05 pm

Thanks for sending that screen shot. I did some research and there are a few ways your Facebook access token could be stolen, such as if you lose your phone and you don’t have a lock code on it.

However, I suspect that since it is a group of your friends experiencing the same problem, the most likely cause is that they were all tricked into giving up their access token (or allowing use of it) by some nefarious app they all downloaded.

My recommendation would be to remove any apps they recently downloaded, especially ones that in any way interact with Facebook.

If they are able to determine which app is the culprit, please let me know.

http://www.techlicious.com/images/misc/access-token-theft.jpg

Reply

gravatar

Screenshot

From Don Clark on May 02, 2014 :: 3:52 pm

I’ll email it to you.

Reply

© 2015 Techlicious LLC. Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us | Terms of Use | Privacy Policy

site design: Juxtaprose