They're only mentioning over wifi, not over Network provider data services.
If thats true, I feel pretty safe. My network is pretty resiliant. My network has been tested against brute force and other attacks and faired very well.
How do you know your network is resilient to attacks?
I was drunk round at my hacking mates house and we brute force attacked my public ip address. Ran all his scripts against it and couldn't get in. Not even on known open Ports
They're only mentioning over wifi, not over Network provider data services.
If thats true, I feel pretty safe. My network is pretty resiliant. My network has been tested against brute force and other attacks and faired very well.
Yes that's what it means. But the first line is WiFi which is what I'm talking about.
The article says about stuff being intercepted over WiFi, but my WiFi is good
Even then, wouldn't it be a concern when connecting to open public networks like at Starbucks, library or airport? I frequently connect to those when I'm on the go.They're only mentioning over wifi, not over Network provider data services.
If thats true, I feel pretty safe. My network is pretty resiliant. My network has been tested against brute force and other attacks and faired very well.
Even then, wouldn't it be a concern when connecting to open public networks like at Starbucks, library or airport? I frequently connect to those when I'm on the go.
indeed, there must be something google put in 2.3.4 that encrypts all tokens regardless of site api requestsI think you're right. It wont change policy over a different protocol.
What we could do with is a list of apps that transmit in plain text.
kinda Eddy but still, its interesting as most apns on the various networks are nat'd
who knows what ports and restrictions are open or closed
facts are this, that stuff is broadcast in plain txt be it wifi or over a data network
an app could sniff it, a clever idiot with a device posing as a mobile phone on the same data network subnet could probably see it too.
the article says wifi only but the protocol these apps are using is still delivering information in plain txt form
i actually think its a bigger issue than we think and one that google has kept under wraps as they have patched
who said anything about vpn? vpn is generally an rsa encrypted channel.Never have and never will use a VPN, I only connect to trusted/secured networks and, tbh, don't have a lot of personal data linked to my Gmail account. If they want my parents phone number then bully for them!
I won't be worrying about this one iota
Fixing the issue
What app developers can do:
What Google/Android can do:
- Android apps and synchronization services using ClientLogin should immediately switch to https. In the newest Android release (2.3.4) this step was already taken for the Google Calendar and Contacts apps, but other apps need to follow. The Gallery app is developed by Cooliris who probably were not made aware of the issue. However, the Android security team told us that they are investigating the Gallery app as well. So hopefully a fix should be integrated in the next release.
- Google APIs offer more secure authentication services. Switching to oAuth for authentication would mitigate the authToken capture issue. Https should be used in addition to prevent synced data to be transmitted in the clear.
What Android users can do:
- The lifetime of an authToken should be drastically limited.
- Google services could reject ClientLogin based requests from insecure http connections to enforce use of https. Https is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs.
- Automatically connecting to known Wifi-networks could be limited to protected networks. At least a respective option should be provided to users.
- Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
- Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
- Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
- The best protection at the moment is to avoid open Wifi networks at all when using affected apps.
We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.