99 percent of Android phones leak data to unsecured Wi-Fi

German insecurity experts have precisely worked out that Android devices connect to unsecured Wi-Fi networks leak persona data more than 99 percent of the time.

According to the University of Ulm researchers, Bastian Konings, Jens Nickels, and Florian Schaub, the vulnerability is due to an improper implementation of the ClientLogin protocol.

Once a user submits his or her login information, ClientLogin receives an authentication token that is sent as a cleartext file.

Since the authentication token can be used for up to 14 days, hackers can access the information stored in the file and do what they like with it.

Writing from their bog, the boffins said that they wanted to know if it was possible to launch an impersonation attack against Google services.

The short answer was “Yes” and it was a doddle.

The attack is not limited to Google Calendar and Contacts, but is “theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”

However, this attack can only be waged when the Android device is using an unsecured network to send data.

The attacker could set up a Wi-Fi access point which looks like the SSID of an unencrypted wireless network.

Using default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. It would not be able to sync but the attacker “could capture authTokens for each service that attempted syncing.”

It is not that difficult to fix.

Developers whose apps use ClientLogin should use https and Google should limit the life of the authentication token, and restrict automatic connects to protected networks only.

Users who are using Android 2.3.4 have little to worry about. Although they should turn off automatic sync when connecting with Wi-Fi, or avoid unsecured Wi-Fi networks.