Last Friday, a vulnerability in Google’s ClientLogin Protocol was disclosed that makes most Android users vulnerable to “sidejacking.” All services (Calender, Contacts, Picasa, Stock Quotes, etc.) that use the Google’s ClientLogin API for “Auto Sync” are vulnerable.
Sidejacking (aka session hijacking) is not new to Wi-Fi. Firesheep that caused a stir last October is a recent example of a tool demonstrating sidejacking attack against Twitter and Facebook. The latest vulnerability though holds significance given the huge userbase of Android smartphones commonly using their smartphones at Open Wi-Fi hotspots.
The first time a user logs into a Google service, the username and password are securely sent over SSL (https). A ClientLogin “authToken” (like a cookie and typically valid for up to two weeks) is sent to and stored on the user device so that the user does not have to log in again to access other applications using the Google Services API. In short, this enables single sign-on convenience for end users.
So where is the problem?
Instead of sending authTokens securely (using SSL), they are sent in clear, without encryption! Yes, I know! I could not believe it either!
Over Open Wi-Fi, this means that anyone passively sniffing over-the-air packets can capture in-flight authTokens in the vicinity, dawn the identity of those (unaware) Android users and hijack their sessions — access their contacts, calender, photos in their private Picasa albums… Well, you get the point!
This vulnerability exists on Android 2.3.3 and earlier. The good news is that Google has fixed the problem in Android 2.3.4 and later. The bad news — that is 0.3% of the total Android users out there, leaving the remaining 99.7% vulnerable.
So is this 2012?
While it’s not time to lose your sleep over this latest Android vulnerability, it does re-emphasize the need for careful use of Wi-Fi. It’s the usual convenience versus security struggle.
Upgrade your Android to version 2.3.4 or later as soon as it becomes available from your vendor. In the mean time, DO NOT use your Android phones over Open Wi-Fi without VPN tunneling; fortunately Android comes with several VPN apps built-in. And turn OFF the “Auto Sync” capability on your Android, especially if you travel a lot and often suffer from Wi-Fi withdrawal symptoms while waiting for your next flight!