• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Very happy im rooted and on 2.3.4 for this reason

kinda Eddy but still, its interesting as most apns on the various networks are nat'd
who knows what ports and restrictions are open or closed
facts are this, that stuff is broadcast in plain txt be it wifi or over a data network
an app could sniff it, a clever idiot with a device posing as a mobile phone on the same data network subnet could probably see it too.

the article says wifi only but the protocol these apps are using is still delivering information in plain txt form

i actually think its a bigger issue than we think and one that google has kept under wraps as they have patched
 
Upvote 0
They're only mentioning over wifi, not over Network provider data services.

If thats true, I feel pretty safe. My network is pretty resiliant. My network has been tested against brute force and other attacks and faired very well.
Even then, wouldn't it be a concern when connecting to open public networks like at Starbucks, library or airport? I frequently connect to those when I'm on the go.
 
Upvote 0
thing i dont get is they mention "only over wifi" but then the applications/web themselves send the tokens in plain text.
I cant see why the apps/websites would send information encrypted over datanetwork but suddenly change its security model over wifi. it makes no sense

im not trying to scaremonger but i think they only mention wifi cos its easier to sniff
it detracts away from the fact that you can be on the same subnet and iprange as other smartphones in the data network therefore some clever sod might be able to packet scan the open ports for data which has been sent from un patched android devices with another device on the network.
even better use a linux box with a datacard/tethered device on the network
 
Upvote 0
kinda Eddy but still, its interesting as most apns on the various networks are nat'd
who knows what ports and restrictions are open or closed
facts are this, that stuff is broadcast in plain txt be it wifi or over a data network
an app could sniff it, a clever idiot with a device posing as a mobile phone on the same data network subnet could probably see it too.

the article says wifi only but the protocol these apps are using is still delivering information in plain txt form

i actually think its a bigger issue than we think and one that google has kept under wraps as they have patched

Never have and never will use a VPN, I only connect to trusted/secured networks and, tbh, don't have a lot of personal data linked to my Gmail account. If they want my parents phone number then bully for them!

I won't be worrying about this one iota
 
Upvote 0
Never have and never will use a VPN, I only connect to trusted/secured networks and, tbh, don't have a lot of personal data linked to my Gmail account. If they want my parents phone number then bully for them!

I won't be worrying about this one iota
who said anything about vpn? vpn is generally an rsa encrypted channel.

im talking standard gprs/3g/hsdpa

each device on the data carrier is connected from a dhcp pool from a sgsn/ggsn and given an ip from a range within that subnet
certain ports have to be open for data transit to work
potentially (i have no actual factual information so cannot fully confirm) someone within that same subnet/iprange can connect a device to the network and find plain text being transmitted from these ports.

imo if you use your providers data network you have just as much reason to be concerned as someone using adhock/unsecured wifi nodes
 
Upvote 0
Actually the linked blog says its over open wifi networks:

Catching authTokens in the wild-Universitt Ulm

Fixing the issue

What app developers can do:

  • Android apps and synchronization services using ClientLogin should immediately switch to https. In the newest Android release (2.3.4) this step was already taken for the Google Calendar and Contacts apps, but other apps need to follow. The Gallery app is developed by Cooliris who probably were not made aware of the issue. However, the Android security team told us that they are investigating the Gallery app as well. So hopefully a fix should be integrated in the next release.
  • Google APIs offer more secure authentication services. Switching to oAuth for authentication would mitigate the authToken capture issue. Https should be used in addition to prevent synced data to be transmitted in the clear.
What Google/Android can do:

  • The lifetime of an authToken should be drastically limited.
  • Google services could reject ClientLogin based requests from insecure http connections to enforce use of https. Https is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs.
  • Automatically connecting to known Wifi-networks could be limited to protected networks. At least a respective option should be provided to users.
What Android users can do:

  • Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
  • Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
  • Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
  • The best protection at the moment is to avoid open Wifi networks at all when using affected apps.
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones