back to article 99% of Android phones leak secret account credentials

The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned. The weakness stems from the improper …


This topic is closed for new posts.
  1. M Gale

    Hm, I was about to rip Samsung a new one in a comment.

    ...then I did some googling and found this:

    Fuck me, Samsung? Actually providing an updated firmware?

    I won't believe it until I see it.

    1. Version 1.0 Silver badge

      Nexus S upgraded itself last week.

      Verizon/AT&T = All your bucks belong us.

    2. Geoff Campbell Silver badge

      I regularly get updates from Samsung

      There's one downloading for my Galaxy S2 even as I type, and roll-out of Gingerbread for the Tab is about to start, I'm told.


      1. M Gale

        Re: I regularly get updates from Samsung

        I went ahead and installed Kies specifically because of this article. And Geoff Campbell, I'm well aware of Gingerbread ALLEGEDLY about to be rolled out since I did just post the link about it up there.

        My Kies information:

        Current firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)

        Latest firmware version: PDA:U7 / PHONE:JKS / CSC:U5 (CPW)

        So no, Samsung do not update regularly, and never have. That is unless I bought a Tab that's been sitting in the warehouse for however-long with the latest firmware somehow magicked onto it. Their Android update support is infamously crap, hence my utter surprise at this latest announcement.

        Also is it just me, or is Kies an awful, slow POS that makes iTunes seem almost slim?

    3. Ilgaz

      Samsung is the last brand to buy

      I got a lot of Samsung stuff here down to fridge and let me say something: Do NOT buy anything Samsung until they act like a real big brand. I don't talk about sales/hardware specs, I speak about a company who can have english typos (yes, typo) on their pages.

      Ask their Symbian users how they got abandoned without any reason and how firmware hackers, actually engineering for free creates miracles.

  2. nickrw

    On the wifi point

    I personally make sure to 'forget' networks that I don't personally have any control over.

    I would also note that my phone* will actually not remember networks with common names (seen this happen with an AP named 'NETGEAR') to prevent you accidentally trying to connect to any old AP.

    * Not android.

    1. Anonymous Coward
      Anonymous Coward

      So you never go to Starbucks or use any public Wifi then?

      as title

      1. Anonymous Coward
        Jobs Horns

        Never heard of 3G?

        I can understand those that want to look chic having a coffee and browsing their iTard - but for the sake of checking emails or facebook on the go I can't see the point - after faffing and connecting to it 3G would have updated it anyway.

        Anon so the fanbois don't lynch mob me! I have an iPhone, but hopefully for not much longer....

        1. PJI

          What has your incompetence with an iPhone got to do with an Android problem?

          Do tell, do.

      2. Bilgepipe


        >>> So you never go to Starbucks or use any public Wifi then?

        Reading comprehension fail.

      3. Ian McNee

        @AC 23:22

        Do you light up while filling your car with petrol or add RAM to your PC while it's still running?

        "Yay! Free wi-fi! Aww! I got pWn3d!" No thanks.

        Good article though :-)

    2. Anonymous Coward

      So you all can say

      You've never used a public Wifi network, even when abroad, at a airport, hotel, conference, cybercafe... I guess you always go and buy local SIMs with generous data plans even in countries that don't sell them?

      You wouldn't get pwned if Google encrypted this information as they should. Don't blame public wifi for this problem.

      1. Ian McNee

        @Metavisor: Caution over "free" wi-fi =/= exoneration of Google

        Who blamed this problem on public wi-fi? That was a little party going on in your own head alone it seems. The point was simply that free public wi-fi is often completely unsecured.

        As an Android user whose network hasn't deigned to put out Gingerbread 2.3.4 for my handset it does concern me that Google has been sloppy with security for earlier incarnations of Android. Us geeks can make a judgement about the risks of connecting to insecure wi-fi (again, that was implicit in my point) whereas most lay Android users will take the view: "Yay! Free wi-fi!"

        1. Anonymous Coward
          Anonymous Coward


          Well AC 08:39 did.

          You as well, but in disguise. Who hasn't been abroad with their smartphones and said "Yay! Free wi-fi!", get real.

          Now I know not to use certain services over untrusted Wifi, but apparently Android will go right ahead and sync my calendar and contacts with insecure authentication tokens as soon as it connects.

  3. John Robson Silver badge


    Aftermarket firmware is the only way to get upgrades in a timely fashion.

    Carriers don't care - you're already paying

    Manufacturers don't care - they want to sell you a new phone

    1. Anonymous Coward

      Don't be sad

      CyanogenMod rocks.

  4. Anonymous Coward
    Anonymous Coward

    No problem

    The users can just patch their source code and reinstall. What were the commands again?

    Found it:

    mkdir android ; cd android ; repo init -u git:// ; repo sync ; make

    Does that go into the new Google Docs app or should I send it as a txt?

    1. M Gale


      ...the only people who've ever seen that line of terminal gunk are likely people who know more-or-less what it means.

    2. The Fuzzy Wotnot

      The clash of Geek and User!

      You have to remember that while you may remember all that or even do that kind of thing day-in day-out, most people want a phone to work like their car, TV or fridge. Switch it on and use it as per manual, they do not want an appliance to have to require 6 weeks of evening college to understand.

      The last time my dishwasher conk out I didn't bother getting the Zanussi service manual and pulling the back, I was paying for extended warranty so I called up whomever it was I paid, told them the problem and they sent a bloke out within 4 hours to fix it, job done. Same with PCs, phones, cable TV recievers, fridge, cars, a lot of us have other priorities in our lives so we pay for the convenience of someone else to fix stuff when it's broke. It may be odd to some, but that's the way life works today.

      1. Anonymous Coward
        Anonymous Coward


        They don't read no stinking manuals, they just switch it on and call support if it doesn't light up. Chimps.... no.. I take that back... chimps can be trained.

    3. Ilgaz

      command prompt of %99.9 owners said...

      mkdir: command not found.

      Seriously, who you think Android users are and who will be hit with such issues?

      1. pan2008


        Android? good luck with that.

        From a very happy WP7 user

        1. Anonymous Coward
          Anonymous Coward

          @One of the 3, maybe 4 tops, real WP7 users in AC clothing

          "From a very happy WP7 user"

          Famous last words

          1. pan2008

            quality not quantity

            Android will step on a Mango fruit in September and will get a big dent on its head! From the still very happy WP7 user (Hope all android users are very happy running their antivirus).

      2. Anonymous Coward


        "Does that go into the new Google Docs app or should I send it as a txt?"

        Did y'all miss that bit?

    4. Anonymous Coward

      Pomposity rules OK

      Even most Linux users who claim to be technical never go beyond point and click.

      You forgot about back-up, reboot, make depend .... But then, by the snide attitude and complete ignorance of the vast majority of mobile telephone usage, I take it that your UNIX knowledge is just as thin, wonderful as your ability with a search engine may be.

      Oh, and you must have "jail-broken" your mobile. Last time I looked, HTC, for instance, did not have a supplied terminal emulator as standard (last week) and a colleague's Samsung has got one installed, but no access to any useful shell commands. (I know, I'm a UNIX fanboy: to me UNIX is a command line/shell driven system on which I can do real development or write natty scripts in ksh, perl or python or awk or ... to make life easy).

      So drop the pomposity and know the difference between a telephone (even a "smart" one) and a computer (in the sense of a device into which one logs in and runs a choice of programmes, operating system etc.). A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; It should be simple to use with no apparent user maintenance, any more than the long established land lines or basic mobiles such as those supplied for years by Nokia and other suppliers.

      1. Anonymous Coward
        Anonymous Coward

        OK rules pomposity

        "A mobile has to work as a reliable, secure communications device for all users, while complying with regulatory, contractual and safety rules and regulations covering the use of telephone networks and frequencies; it should be simple to use with no apparent user maintenance"



        Are they really that different? Not according to your definition. Dig deeper.

        You're also deluded about Nokia, I had to take quite a few to the service centre for updates because they would crash, go mad, lose contacts, etc - this was before remote updates came about, which just meant you had to do more updates but now at least you could do them at home.

        I call that a lot of user maintenance, not unlike computers actually.

      2. Ilgaz

        One thing they don't get

        Android isn't some nerd's garage invention, it is the market leader and it has a very precious thing: google account credentials.

        So it targets general public, not Debian owners who doesn't even need X11 installed. That -was- Neo phone which failed (thanks to hypocrisity of FSF fanatics) miserably.

        Checking my posts "thumbs down", they also have unhealthy community of fanatics too. All I said was reminding the fact that it is a general public device and if Google doesn't knock these idiot vendors door soon, some catastrophe is waiting to happen.

        You CAN'T deny security updates in 2011, that is also some trainwreck scandal waiting for Apple too (3G iPhone). If it happens, everyone will hear it and governments and carriers will really be pissed off with it. I don't say "free major updates", I say same major version+security update. No new features, just make sure your customer doesn't lose all their real life money.

  5. Anonymous Coward
    Anonymous Coward

    2-step verification

    So from what I understand this also affects those of us using the supposedly more secure 2-step verification authentication, for apps that use an application specific password - which lets be honest are all of them?

    Why did I even bother turning it on and jumping through the all the hoops of using it.... setting up was a mess, apparently they haven't gotten around to support it well in Android, and now this.

    Well done Google, authentication tokens over plain HTTP, top marks for stupidity. Can't even imagine what's in that Honeycomb source code now, if even they admit to having made "shortcuts".

  6. Anonymous Coward
    Anonymous Coward

    No no no

    It's all a smear campaign, can't you see? Smear smear smear. There is no issue here, passwords have been sent plaintext for ages without any problem whatsoever. Plain text auth tokens are just like plaintext passwords 2.0. Super cool. (anything else is a smear)

    We even had our streetcars drive around collecting unencrypted Wifi packets to study in depth how this is such a non-issue.. Out of millions of networks we only collected hundreds of thousands of passwords, it's a whole order of magnitude less, so no worries. Did we say smear yet?

    The real story is some very evil PR company paid for by ( Microsoft | Apple | Facebook | Vatican| Scientology| Aliens) asked some very naughty professors to claim this was an actual issue. Can you believe it? Now is that evil or what! Bad bad professors.That is the real problem, not this password thing which is so good it tastes like strawberry. Smear.

    Hey look behind you, is that a giant ice cream sandwich? Yummy, all smeared in chocolate.

    ps: If any of the professors is reading this remember when we said location data from Android phones was stored with a hashed version of an anonymous token, which is deleted after approximately one week? Well turns out the hash is pretty unique, the "approximately" is exactly just that and the anonymous, well.. >:-> Don't call us, we'll be in touch.

    1. Ian McNee


      Nuff sed.

  7. Muckminded

    Aye, here be aggregators

    The beauty of modern corporate fuck-ups is how well they scale. This wouldn't be possible in technologically inferior societies, so quit crying about every little bitty breach of 100 million or so.

    Yay for progress!

    This message brought to you by the Luddite Hammer Company.

  8. Miek

    Aha, some ammunition for my upgrade gun

    Take that vodafone, pow pow

  9. Andrew Jones 2
    Thumb Down

    Man in the middle attack.


    and this is different to any other man in the middle attack how??

    Bottom line is regardless of what device you use to access the internet - unsecured wireless hotspots are ALWAYS a danger!

    How many people do you think update their facebook over free WiFi?

    How many of those people do you think even know that facebook provides a https option if you turn it on in your account?

    I would be willing to bet that 90% of people using facebook over an unsecure wireless network are doing so with using https.

    1. Anonymous Coward
      Anonymous Coward

      Wrong assumptions

      If you use Farcebook you don't really expect any security do you? All it takes is one of your "friends" account to be hacked and your info's spammer (or worse) fodder.

      However I'd think users of Google's Calendar or contacts would expect a bit more.

      I don't personally use Calendar but now quite a few people who manage their lives around it. I don't think they'd be happy sharing that with strangers in foreign places (where there's no real option than to use local public Wifi)

    2. morphoyle


      "I would be willing to bet that 90% of people using facebook over an unsecure wireless network are doing so with using https."

      I would take that bet, and then your money. 90% of people that use facebook would probably stare at you like a confused puppy at the very mention of https.

      1. Anonymous Coward
        Anonymous Coward


        "I would take that bet, and then your money. 90% of people that use facebook would probably stare at you like a confused puppy at the very mention of https."

        And quite possibly with the fact their phones can use Wifi instead of umm, the magic they currently use.

  10. Mr Ian

    Inaccurate article title?

    "99% of Android phones leak secret account credentials"

    I don't think any *credentials* are being leaked here. It seems that the cached plaintext 'auth successful' file. Sure this would allow attackers to automatically gain authentication with services - but it doesn't appear that it actually leaks the account credentials themselves (passwords, usernames, etc).

    Concerning, nonetheless.

    1. Tom 38

      Re: Inaccurate article title

      In crypto, a credential is a token or set of tokens that grant access. It doesn't necessarily mean a username and password, which is one sort of credential, it can quite easily mean a temporary token which can be used to access an authenticated service.

      1. Mr Ian

        Credentials and all that

        Indeed. Had a further chat with the author and I can see your point. I think I do still draw a line between 'leaking a temporary token' and 'leaking a username and password that can be used anytime, anywhere' (until they get changed, of course). Most passwords online do not expire and it's only through intelligent security processes that you'll ever see a password get changed... not something that's done often. A temporary token though? It expires. While it's active sure, the attacker can abuse it for all its worth, but once it has expired they need to hunt down a new one.

  11. ElReg!comments!Pierre

    Fair game but misleading.

    I stongly dislike Google's tentacular approach to user data as much as (and maybe more than) everyone; however the headline is plain silly.

    99% apps are rejected from the app store -because face it, noone knows the rules

    99% of windows computers are part of a botnet -because any one of them might be at some point

    99% of linux boxen are utterly unusable -because who hasn't encountered a kernel crash

    99% of phone conversations are recorded by USA spooks -can you prove me wrong?

    99% of computer parts are faulty - well they will fail at some point won't they?

    99% of car drivers to die in a collision with a firetruck -well, it has happened before, it can happen again.

    99% of articles having "99%" in their headline are either junk or going for the easy attention-grab trick -no comment.

    But again, that's why I read El Reg!

    1. Anonymous Coward
      Anonymous Coward

      How is it misleading?

      The title says 99% *leak information*, which is true.

      It's not something that may happen or happened once in the past, it's something that does happen every time they're on Wifi (and btw, even if you encrypt with WEP or even WPA - the latter under certain conditions - these have been easily hacked)

      1. ElReg!comments!Pierre

        @ metavisor

        "The title says 99% *leak information*, which is true." Erm, no its not?

        Some models/versions (probably most) are vulnerable to a man-in-the-middle impersonnation attack when authenticating through unsecured connection. Which means, it's only slightly *more* secure than your average unsecured authentication (only a "one-time" token can be stolen, not your actual permanent credentials). That's not exactly "leaking information" in the sense that most people would understand. As for the 99% figure, it's simply pulled out of thin air.

        I'm not saying that there's not an issue here, I'm just saying that the title makes it bigger than it actually is. That said, if I didn't like my tech story with a bit of added spice I wouldn't read El Reg.

        1. Anonymous Coward
          Anonymous Coward

          @UUCP mail user ElReg!comments!Pierre

          I think you didn't read the actual article (not this summary, the actual research one)

          There no difference in vulnerability here, if the phone is running anything lower than Gingerbread 2.3.3 it'll be sending plain text authentication tokens to Google for the Calendar, Contact and Picasa sync.

          The 99% number is the percentage of Android devices that are not on 2.3.3 yet. All those devices are doing this.


          1. ElReg!comments!Pierre

            What the heck?

            A single-use token can be intercepted when using non-encrypted connexion (that's what you call "plain text" I presume; I'd say it's hardly text, but yes, it's unencrypted. That's the whole problem with unencrypted connections).

            That's "leaking information" as in my "99% of computer are faulty" above. Normal people call it "vulnerability to a man-in-the-middle attack". And not the most serious kind either (not that it's not serious; it could just be worst). It is a LOT less dangerous than transmitting your actual username and password, for example, as here all the man-in-the-middle attacker can do is log in in the very service that token was issued for (no credential re-use issue as "ho shit I use the same password for iCalendar and for banking"), and for 14 days "only". Still serious enough, especially on mobile devices which can be expected to connect through insecure networks.

            And again, it's not a spontaneous data leak, it's vulnerability to a man-in-the-middle attack (although the title was changed since I posted my first comment; it is less misleading now).

            As for the 99%, my objection was that it's assuming that all owners of an "old" Android device are using it to authenticate via unencrypted connections through unsecured networks where there happens to be someone logging that particular type of tokens and using it to implement the attack. It takes all that for any information to actually leak. So I doubt the actual figure is 99%.

            I don't say that the title is absolutely completely false, I just say that it's not absolutely true either. That's why I said "misleading". But I don't have any particular problem with that, especially not on El Reg.

  12. streeeeetch

    Are Orange and other suppliers now compromising their customers

    OK, supposing that the Android system is compromised and that this isn't a M$ smear campaign.

    My HTC phone is branded by Orange and still has Android 2.2 because Orange's updates are always way behind the real release. I can't load vanilla Android without voiding my warranty so Orange are now putting all of their customers at risk by not supplying an update.

    My question is this: If there is a real security threat, do Orange now have the right to require all of its users to stick with their "version" of the OS on the phones they supply?

  13. Anonymous Coward
    Anonymous Coward

    Is this issue really restricted to Android?

    It sounds very much like the same issue that Firesheep was getting at, unsecured authentication tokens on unsecured networks. Yes, I would expect better from Google services, but surely this problem happens on any device that connects to insecure networks.

    1. Anonymous Coward
      Anonymous Coward

      Not just Android

      All rubbish devices and services do, all good ones however use encryption.

  14. Ted Treen
    Jobs Halo

    I'm just waiting...

    ...for one (or more) of the usual suspects to claim it's all Steve Jobs/Apple's fault.

    Par for the course these days.

    1. Anonymous Coward
      Anonymous Coward

      It is Apple's fault!

      Apple expelled Eric Schmidt from the board before he got round to photocopying their concept of using HTTPS for authentication.

  15. Anonymous Coward

    Oh. I see - the problem concerns Google services

    So even if I had an Android phone (which to be honest I have been considering), there would be nothing to worry about as I am not stupid enough to use their services or tell them who I am.

    1. Ilgaz

      as far as I heard

      Android is so tied to Google services that on some devices, deleting your gmail account may wipe the entire device.

      I mean if you don't like Google's stance on prlvacy etc, just don't buy a device with Google OS. Not saying "buy that instead", I am in similar situation and may end up with a small netbook+dumb phone.

  16. Stefing

    Misleading headline du jour

    "LEAK" is not the same as "could disclose if attacked" - on that basis I'm leaking my Amex PIN code right now.

  17. Ilgaz

    Apple's secret

    This is the most amazing thing coming with iPhone. They somehow managed to convince/force all network operators for updates in Sync.

    As a person who had to hack his Nokia E71 product code to get updates in same time, I have to admire them.

    If iPhone OS was a OEM thing, I am sure they would make sure these idiots (networks,device makers) do the same thing too. Apple doesn't mercy when it comes to update policy and roadmap.

    Sad thing is, android and ios, that is all left to choose.

  18. Bas_1801

    2.3! I wish I could get to 2.2

    With HTC and many other vendors locking phones to android 2.1 things (e.g. htc hero) are worse than highlihgted here. Many phones come with 18-24 month contracts. The makers of the phones are refusing to offer the newer OS's for phones that may only be a few months old leaving users stuck with insecure versions.

    If my phone is attacked due to their negligence who is to blame?

    Shame on them

    1. taxman

      ZTE misnomer

      Apparently the Racer is a bit of a ploy, stuck on 2.1 update 1. And no they won't!

  19. petur

    Has this finding been verified?

    I just had a quick look at the ClientLogin API, and it mentions the use of HTTPS... it also mentions it isn't compatible with 2-step authentication (whuch should make davidp1 happy)

    Did anybody verify the issues mentioned?

    I'm not an Android user, and use HTTPS and SSH anyway...

    1. Anonymous Coward
      Anonymous Coward

      No, doesn't make me happy

      Unfortunately even if it's incompatible with 2-step authentication, ClientLogin is what uses Google uses in their phones.

      That means when we do activate their 2-step stuff we have to create multiple application specific passwords to get Android to work, which are then used for (what we now know is) just ClientLogin.

      I can't confirm non-HTTPS use, but Rice University is not your typical rumour mill and I doubt an associate professor such as Dan Wallach would put his academic career and good name at risk over this, so until proof to the contrary I'll take his word for it.

  20. Andy Watt
    Thumb Down

    "should use unsecured networks"?

    This is _exactly_ the kind of thing which will turn android into "windows for phones". High volume, and a lucklustre and throwaway attitude to security.

    It's the same reasoning which has left the "install whatever the hell I want" switch in the settings menu.

    If the industry doesn't wake up Apple will wipe them all out - not due to a single issue like this, but because, again and again, the fragmented players who exist in the android space won't play ball with each other, or google, and google won't play with them either.

    It's the perfect environment for exploitable security holes to flourish, for multiple platforms and specifications to befuddle application developers and result in lowest common denominator applications using the oldest API available for maximum compatibility... a whole host of issues stemming from Google's management of the android experiment (let's face it, they're still in beta as usual).

    I hope the ice cream sandwich they're planning unifies and places some strictures or some god-awful vulnerability across the entire platform will result in a global bollock-up of PSN proportions.


    The title is required, and must contain letters and/or digits.

    Who cares if one looses control over ones facebook account. Surely you could phone all your friends and tell them to un-friend you, and then befriend you on your newly created FB account!

    Side-tracked there: are we discussing something else...

    1. Anonymous Coward
      Dead Vulture

      Khaled elEkhetyar cares

      23 March 2011 "in Daraa, Syria, a journalist is reported missing.......

      Twitter users are reporting that Khaled Elekhetyar, a Syrian journalist and blogger is unreachable, and his Facebook account has been hacked and used to post pro-Assad propaganda...."

  22. Nicolas Charbonnier

    Rewrite your article

    This only works if you are using open unencrypted wifi and that the attacker spoofs your wifi sitting just outside your door. We all know the dangers of using unencrypted wifi without https apps, it's the same on your Laptop, which is why last year Google turned all its web apps to https by default. 99% of Android users DO NOT currently use their phones on unecrypted open wifi so this attack is pretty much useless regardless of your Android version, Apple's gps tracker is much worse.

    1. Anonymous Coward
      Anonymous Coward


      You mean the same GPS tracking as Google? What a Googletard your are.

      I'd bet good money that cat least 90% of Android users have been on unencrypted wifi one time or another, especially since the device connects to them by default.

      Not that it matters anyway since even most encrypted Wifi networks can be hacked very quickly.

      Plaintext text auth of any kind should be a punishable crime. We've known about this since people started dropping telnet for SSH - that was 16 years ago!

      1. PartTimeLegend

        Titles are people too

        "the device connects to them by default" really?

        1. Anonymous Coward
          Anonymous Coward

          @Troll aka PartTimeLegend

          Yes, that's what my Galaxy S does. Why, is that unique to this device?

          I'm seriously fed up with this POS device already, wouldn't be beyond Samsung to fuck it up even further.

          1. M Gale

            "Yes, that's what my Galaxy S does."

            Funny, my Galaxy Tab doesn't. Neither does the ZTE Racer. Neither did the Commtiva N700. Neither does a friend's Galaxy i7500 (the one that Samsung rather unforgivably dumped and left with 1.x). Neither does the Dell Streak. Or the Motorola Xoom. In fact I have yet to see a single device, Android or otherwise, that automatically connects you to an unknown network without some serious hackery going on.

            Are you sure you haven't just remembered an open access point called "NETGEAR" or something, and still have its profile? Android (and a lot of other OSes) uses the SSID to determine network identity, which is really annoying when you have two people, with two different security set-ups, who both have routers called "dlink".

            Try locating the offending profile and giving it the old heave-ho. Shouldn't be too hard. Tap on the entry then select "forget".

            1. Anonymous Coward
              Anonymous Coward


              THink it's the touchwiz crap that's doing it. I've been meaning to remove it from the phone but haven't had the patience. Probably will get rid of the phone soon anyway and get a Nokia. People here seem to like them.

              But I get what you're saying, wireless at work is called wlan lol.

      2. David Simpson 1


        That would be the Google GPS tracker you can opt out from during setup or at any other time, how do you do that on an iPhone again ? Such an iTard.

        1. Anonymous Coward
          Anonymous Coward

          Answering @David Simpson 1

          You turn off location services on the iPhone, no more tracking. Just like Google's.

          Not the sharpest tool are you... Too much fizzy Google-aid?

  23. PartTimeLegend
    Paris Hilton

    Shock Horror!

    I guess Wireless really isn't secure.

    Paris, as her phone always leaks "personal" information.

  24. __sporkbomb

    FUD title... (and some clarity from a grumpy security guy)

    By the logic of the title of this article, 100% of all Windows/Linux/Mac/*BSD laptops in use leak secret account credentials because somebody coded an application that doesn't use transport encryption for session tokens. And I can assure you that that's true for every single platform with more than 10.000 users worldwide.

    To bring some facts into this, since The Register reporters are too busy writing ill-informed articles with missing pieces...

    ClientLogin is an interface to get auth tokens for Google services (such as Calendar, Mail etc). The graphic in the docs ( explains it quite nicely. You let the user enter credentials, get a cookie and can then access the service. That's a pretty standard operation and nearly all popular services that serve third-party clients use something of that form (OAuth is an extended version of this scheme, and OAuth is used by quite a few large services such as Twitter).

    If the application utilising ClientLogin uses some form of transport encryption (which is really just the exact term for SSL aka "https" in this case), you're a-ok. This is what applications CAN do. They CAN perform Google API in an end-to-end encrypted manner.

    The big mistake is (as so often) letting coders do the wrong thing. Applications CAN also use the unencrypted form, as in "no SSL", and in this case that's even what Google Calendar and whatnot is doing.

    So, who's the culprit here? Still Google, but not only them. Google not forcing devs to use transport security AND devs having no damn clue of security (because security is hard and education on the subject is done by grumpy cynical elitists like me) and not using transport security equals FAIL.

    What to do? Not much, sadly. If you must use unencrypted connections (such as public WiFi [WEP encrypted ones count too, really, but it raises the effort required]), the same applies as usual: Tunnel everything through a VPN or do something of that sort to reduce the amount of people you have to trust. Tell the devs of the apps you have on your phone that use Google services (I think that's a permission, so you could probably check that, not sure) to switch to HTTPS. It requires no real extra effort, everything is already there. In many cases, that's a SINGLE CHARACTER the coder has to change.

    I'll go back to my security cave now and be passive aggressive about stupidity there. Cheers.

    1. Anonymous Coward
      Anonymous Coward

      Good shot, but WRONG TARGET

      Couldn't you read the article? Let me make it uppercase for you as you seem to like that style.

      The problem here is that it's GOOGLE who IS NOT USING transport layer security (aka HTTPS) for connecting to THEIR OWN SERVICES from Android including:

      * Calendar Sync

      * Contacts sync from their Android phones

      * Picasa Gallery Sync

      So it's Google's own damn fault they didn't change that SINGLE CHARACTER you mentioned.

      Maybe you should get out of that cave more often?

  25. David Simpson 1


    How about adding "ON UNSECURED WIFI" to the title, I don't even sign in to anything from a laptop on unsecured WIFI, it's a fool's game.

    1. Anonymous Coward
      Anonymous Coward

      Game played by most

      It's a game played by a large % of Android users, some flavors even make it stupidly easy to do so.

      Either way you twist it doesn't excuse Google from not using encryption to authenticate to their services. They even have that as a best practice in their own documentation for developers FFS, why not follow it.

  26. nrthnhorzn
    IT Angle

    This is why....

    I see no need for a "smartphone". When a private eye can send a bot to your phone to turn it on so your wife can catch you with your pants down with your office co-worker, I see no need for one....

    1. M Gale

      Re: This is why

      Uhm, you do know that phones have been able to run apps for several years before the iPhone was a twitch in el Steve-o's pants? It's called Java/J2ME, and there are snoop apps for bog standard Nokia "dumbphones" too.

      And no, the PI would not be able to just "send it to your phone". Google and Apple might be able to do sneaky things like that, but your wife's PI has absolutely no chance. They'd have to have access to the device, and even then you might notice an extra "McSnoopSnooperson" app in the list that wasn't there before.

      So, carry on banging the secretary, eh?

  27. brightnight

    of Ulm!

    Why is it the world never remembered the name of Johann Gambolputty de von Ausfern-schplenden-schlitter-crasscrenbon-fried-digger-dangle-dongle-dungle-burstein-Von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelterwasser-kurstlich-himbleeisen-bahnwagen-gutenabend-bitte-ein-nürnburger-bratwurstle-gerspurten-mit-zwei-macheluber-hundsfut-gumberaber-shoenendanker-kalbsfleisch-mittler-aucher von Hautkopft of Ulm?

  28. joe.user

    Come on Verizon! You're a network leader, don't leave us behind.

    Some C level - get your head out of your arse and get this fire going to move us to updated versions!

  29. CyberAvenger

    The people (Consumers) need take back the control

    It's Google too. Google wants control and know everything. They have corrupted their own system.

    But it's all a security risk. We should be able to use wifi. But they have stop spying on people and tighten up their security. Or there is really no point......

    We just view pages but transmit any personal data. Go home and use a local Lan. Or get out of the house and do our own shopping.

    They gotta controlling everything and typed up security. Or there is no point to internet.

This topic is closed for new posts.

Other stories you might like