Researchers at the University of Ulm have identified a security risk with Android phones that could allow someone to access your calendar and contact information over unsecured Wi-Fi networks. Once they gain access to this data, they could use your contacts to phish for personal information or modify a contacts email address so that you unwittingly send potentially confidential information to the intruder. Other apps, such as Picasa web albums, are also vulnerable, and there may be more. All Android phones running version 2.3.3 or earlier (which is basically every Android phone) is at risk.
The way this new threat works is for a bad guy to set up a wireless network with the same name ("SSID") as a popular unencrypted network, for example the Starbucks or airport public Wi-Fi network names. If you've connected to this network in the past, your phone will automatically reconnect to these networks in the future. Except this time, the network it connects to is an imposter.
Once on the fake network, the bad guy can "sniff" the security tokens Android uses to communicate with Google Calendar and Contacts and use them for his or her own nefarious purposes.
Unfortunately, the only way to fix this vulnerability is for you to upgrade your phone to Android 2.3.4 or above. And with phone manufacturers so far behind on updating devices to the latest versions of Android, that's just not possible for most devices.
So, instead, it's up to us to exercise vigilance, and there are two ways to do that on your phone:
1. Switch off automatic synchronization in the settings menu when connecting with open Wifi networks. To do that, go to "Accounts and sync" within your settings menu and turn off Background data.
2. After you connect to a popular Wi-Fi network, tell your phone to "forget" the network. From the settings menu, go to "Wireless and network", "Wi-Fi settings", and long press the network name.
The best protection is to avoid open Wi-Fi networks on Android phones. That's not a very practical solution, but this is far from the first time serious security risks have been associated with open Wi-Fi networks. Earlier in the year, a very similar security risk was identified for people accessing Facebook, Twitter and many other popular sites through unencrypted networks. And it's likely there are more risks that haven't been discovered yet.
From Emily on May 18, 2011 :: 9:38 am
Hi All,
I am wondering how to find out which Android version my phone is running. Is this on my phone or do I have to call my phone company? I noticed that my phone’s WiFi is off, so hopefully that will help protect? Thanks
Reply
From Josh Kirschner on May 18, 2011 :: 10:42 am
Go to Settings and click “About Phone” and it will tell you your Android version (may say Firmware Version on Samsung devices).
If you never use public Wi-Fi hotspots, this won’t be an issue for you.
Reply
From Emily on May 18, 2011 :: 10:45 am
I’m running 2.2.2.
Reply