Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Android Security Flaw Could Expose You to Data Theft

by Josh Kirschner on May 18, 2011

Researchers at the University of Ulm have identified a security risk with Android phones that could allow someone to access your calendar and contact information over unsecured Wi-Fi networks. Once they gain access to this data, they could use your contacts to phish for personal information or modify a contacts email address so that you unwittingly send potentially confidential information to the intruder. Other apps, such as Picasa web albums, are also vulnerable, and there may be more. All Android phones running version 2.3.3 or earlier (which is basically every Android phone) is at risk.

The way this new threat works is for a bad guy to set up a wireless network with the same name ("SSID") as a popular unencrypted network, for example the Starbucks or airport public Wi-Fi network names. If you've connected to this network in the past, your phone will automatically reconnect to these networks in the future. Except this time, the network it connects to is an imposter.

Once on the fake network, the bad guy can "sniff" the security tokens Android uses to communicate with Google Calendar and Contacts and use them for his or her own nefarious purposes.

Unfortunately, the only way to fix this vulnerability is for you to upgrade your phone to Android 2.3.4 or above. And with phone manufacturers so far behind on updating devices to the latest versions of Android, that's just not possible for most devices.

So, instead, it's up to us to exercise vigilance, and there are two ways to do that on your phone:

1. Switch off automatic synchronization in the settings menu when connecting with open Wifi networks. To do that, go to "Accounts and sync" within your settings menu and turn off Background data.
2. After you connect to a popular Wi-Fi network, tell your phone to "forget" the network. From the settings menu, go to "Wireless and network", "Wi-Fi settings", and long press the network name.

The best protection is to avoid open Wi-Fi networks on Android phones. That's not a very practical solution, but this is far from the first time serious security risks have been associated with open Wi-Fi networks. Earlier in the year, a very similar security risk was identified for people accessing Facebook, Twitter and many other popular sites through unencrypted networks. And it's likely there are more risks that haven't been discovered yet.


Topics

Phones and Mobile, News, Home Safety & Security, Blog


Discussion loading

gravatar

From Emily on May 18, 2011 :: 9:38 am


Hi All,
  I am wondering how to find out which Android version my phone is running. Is this on my phone or do I have to call my phone company? I noticed that my phone’s WiFi is off, so hopefully that will help protect? Thanks grin

Reply

gravatar

From Josh Kirschner on May 18, 2011 :: 10:42 am


Go to Settings and click “About Phone” and it will tell you your Android version (may say Firmware Version on Samsung devices).

If you never use public Wi-Fi hotspots, this won’t be an issue for you.

Reply

gravatar

From Emily on May 18, 2011 :: 10:45 am


I’m running 2.2.2.

Reply

gravatar

From Tracy on May 18, 2011 :: 1:37 pm


thanks for the info - I just bought a Droid Incredible 2 a few weeks ago - haven’t even figured it all out yet! I’ll turn off the wifi .

Reply

gravatar

From Don Clark on April 30, 2014 :: 8:42 pm


Is this why some Android users are experiencing FB access token theft?

Reply

gravatar

From Josh Kirschner on April 30, 2014 :: 8:48 pm


Where are you seeing stories of Facebook Android tokens being stolen? Would be curious to research further.

Reply

gravatar

From Don Clark on May 01, 2014 :: 1:14 pm


Several friends on Facebook that have Androids received notification yesterday (Apr 30). One has been temporarily blocked from “liking” anything. She sent me a screen shot of the notification.

Reply

gravatar

From Josh Kirschner on May 01, 2014 :: 1:45 pm


Can you post the exact wording of the message here or send me the screenshot at josh at techlicious dot com?

Reply

gravatar

From Josh Kirschner on May 13, 2014 :: 3:05 pm


Thanks for sending that screen shot. I did some research and there are a few ways your Facebook access token could be stolen, such as if you lose your phone and you don’t have a lock code on it.

However, I suspect that since it is a group of your friends experiencing the same problem, the most likely cause is that they were all tricked into giving up their access token (or allowing use of it) by some nefarious app they all downloaded.

My recommendation would be to remove any apps they recently downloaded, especially ones that in any way interact with Facebook.

If they are able to determine which app is the culprit, please let me know.

https://www.techlicious.com/images/misc/access-token-theft.jpg

Reply

gravatar

From Don Clark on May 02, 2014 :: 2:52 pm


I’ll email it to you.

Reply

New Articles on Techlicious

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.