[sf49ers]

Security has been and will be Android's weak link because of its openness. Here is an interesting read how vulnerable Android users are for an identity theft.

99% of Android handsets vulnerable to account credential theft

[rollingrock1988]

Ouch. :/ That blows for you android users.

[Draconianfire83]

Can't get much worse than that... politicians can't even get that high an approval/disapproval rating...

I understand these data leaks for Android are subject to many variables, but we are entering a world where using a mobile device as a payment method, both online and in-store, is becoming commonplace. People call RIM behind the times... but without security, you are left with garbage.

[LikeWebOS]

Thats ridiculous. On the other hand, in 2011, I'm not connecting to any "open" wifi internet connections unless I'm at work or at home, both of which are protected. Now, if I need to stop at a coffee shop and check something on my computer, I'll use my broadband modem. In this day in age, I don't understand why anyone connects to unsecured wifi hotspots for anything.

[papped]

Watch nobody care that this huge security flaw exists because its android... Even when Google issues patches most phones never see the updates due to carrier and manufacturer fragmentation... Its the random SMS bug all over again.

[Tre Lawrence]

Best comment from the story:

No fragmentation here

... as in all handsets are equally vulnerable.

Good info.

[qbnkelt]

Pulling a chair and sitting back to see how this develops....

Posted from my CrackBerry at wapforums.crackberry.com

[qbnkelt]

Thats ridiculous. On the other hand, in 2011, I'm not connecting to any "open" wifi internet connections unless I'm at work or at home, both of which are protected. Now, if I need to stop at a coffee shop and check something on my computer, I'll use my broadband modem. In this day in age, I don't understand why anyone connects to unsecured wifi hotspots for anything.

That's great. What if you're unaware of this issue? Or you believe everyone that says that all these pesky security questions are much ado about nothing? Like "well, all phones have these vulnerabilities"...

Posted from my CrackBerry at wapforums.crackberry.com

[ThaGeNeCySt]

I'm running 2.3.4 so I guess I'm safe?


But regardless, this is terrible for those who don't have access to this update, and even worse for people who are completely unaware. Patches like this should move backwards IMO. If Gingerbread 2.3.4 fixes the issue, then FroYo 2.2 should get a 2.2.4 update, Eclair should get a 2.1.4 update, etc (if the problems are on previous versions as well - which I'm assuming they are).

[qbnkelt]

I've had my Atrix for just over one month and this is the third incident related to security. Security is a big deal, at least for me.

Posted from my CrackBerry at wapforums.crackberry.com

[Tre Lawrence]

I think it is a fairly serious issue, but one that most users won't be overly bothered about... right or wrong.

The "openness" sword swings both ways. As of right now, I am prepared to live with the drawbacks. That won't -- and shouldn't -- be the same for all Android users.

The bad app thingie didn't have me worried at all.

[TheScionicMan]

I'm running 2.3.4 so I guess I'm safe?

You're part of the 1%...

[CranBerry413]

I saw this article earlier. I'm all for one platform basking another in the name of saying "Ours is better!" But this is pretty scary.

I really hope that Google gets some sort of fix out soon, because even though I don't own a Google phone, people I know do, and they are at risk here.

Shame really, I hope that nobody is seriously affected by this.

Posted from my CrackBerry at wapforums.crackberry.com

[scorpiodsu]

This is the problem with the "open" platform model. The less control you have over what others can do with your platform, the more vulnerable it is to exploits and attacks. Not saying that the attacks will happen, but when you relinquish that control you make yourself susceptible to this. And though it's not entirely an Android problem, it's the inherited problems of the platform model. I'll keep saying it.... Until Google starts really controlling things (maybe not as strict as Apple) we will continually hear about these things. I think Google exercising some control benefits all users in the long run. The only people that would be upset are the wannabe hackers who aren't hackers but pretend to be one on the Internet.

[DenverRalphy]

It will be interesting to see how quickly Google can send out a patch. I may be mistaken, but I'm pretty sure Google can issue security patches without having to wait on carriers. They've done it before with other aspects of Android (like the market app).

[qbnkelt]

Unfortunately, with the little issues and quirks I've been having, this might be the end of the line for me.
I got my Atrix back out yesterday morning and immediately ran into connection problems. Today there's this.
I'm regretting my purchase.

Posted from my CrackBerry at wapforums.crackberry.com

[papped]

It will be interesting to see how quickly Google can send out a patch. I may be mistaken, but I'm pretty sure Google can issue security patches without having to wait on carriers. They've done it before with other aspects of Android (like the market app).

Nope, they can't. Not when it's an OS level issue and not a specific google app...
Probably at least 80% of the 99% of users are screwed due to the debacle that is carrier/manufacturer fragmentation.

[DenverRalphy]

As I search the interwebz for more info, it seems that services using OAuth aren't susceptible to the attack in the article. Which all apps and services seem to already be using.

The ClientLogin API is a tool that's only supposed to be used in a closed environment, like communication between your device plugged directly to your PC. Similar to the differences between using Telnet over SSH.

I'm still researching, but it seems (so far) to be more scare tactic journalism on a proof of concept. As it stands right now based on what I've been reading, no services or apps are using the ClientLogin API over OAuth in any case, rendering the point somewhat moot.

[DenverRalphy]

Well after a lot more searching and reading, it seems that ClientLogin has for all intents and purposes been deprecated. Nobody seems to be using it anymore.

[papped]

I am quite certain a large number of people are using ClientLogin.... Otherwise there would not be a ton of code examples saying how to use or to use ClientLogin to authenticate stuff like GR...

Even the google calendar and contacts apps did not switch to https until 2.3.4, so why would all 3rd party applications automagically have switched already? I seriously doubt it...

[DenverRalphy]

I am quite certain a large number of people are using ClientLogin.... Otherwise there would not be a ton of code examples saying how to use or to use ClientLogin to authenticate stuff like GR...

Even the google calendar and contacts apps did not switch to https until 2.3.4, so why would all 3rd party applications automagically have switched already? I seriously doubt it...

2.3.4 addresses the ClientLogin API using https. But it's not the only method available for retrieving tokens in Android. There are a ton of code examples showing how to use ClientLogin, but at the same time it is also documented and discouraged by Google themselves from even using it if there's any chance an app will be exposed to an unsecured network. The Google services like calendar, contacts, etc.. also support other methods like OAuth. As well earlier versions of Android also support alternate methods. While ClientLogin is inherently flawed, it's not the only option available.

So what remains to be seen is which method is actively being used.

What I'm trying to nail down is whether the native apps (or 3rd party even) are actually using the ClientLogin API for calendar/contacts sync etc.

[sf49ers]

here's more Android security woes that got unfolded on AC

http://www.androidcentral.com/more-a...ix-them-sophos

[Tre Lawrence]

rmjones, while I was initially dismayed, my research essentially led me to the same conclusion as yours.

In any case, I remember when "major" security breaches were found on BB. I remember when folks got all in an uproar over stuff that essentially was overblown.

As for the new set of malicious apps, give me a break. While it is not at all good or optimal, still... iCalendar? Really? You'd download that?

Peer review is a powerful tool, and I can live with openness and a good amount of feedback, which is the only way an app makes it on my device.

While the list of Permissions is a good deterrent, the all or nothing aspect is no fun. I would like the ability to nix particular permissions.

[phonejunky]

WOW!!! that is just astounding literally a law suit will probably be on the way for some companies.

[DenverRalphy]

Nope, they can't. Not when it's an OS level issue and not a specific google app...
Probably at least 80% of the 99% of users are screwed due to the debacle that is carrier/manufacturer fragmentation.

Sure they can.
Google's Plugging That Potential Android Personal Data Leakage Right Now - Gizmodo
Google Pushing Fix for Personal Data Security Exploit