Establishing Digital Trust: Don't Sacrifice Security for Convenience
Google's Android operating system is one of the most popular mobile platforms in the market today. According to new research from Ulm University, Android is also one of the most vulnerable platforms, due to an insecure ClientLogin protocol.
Security researchers from Ulm, have reported that Google's ClientLogin protocol can be used for an impersonation attack on Google services.
The researchers explained in their report that ClientLogin is an authentication mechanism used by Android apps. The ClientLogin uses an authentication token (authToken) which is passed to Google services enabling access to user accounts. The researchers stated that if the authToken is sent unencrypted over the air, the user's credentials can easily be stolen.
"Note that this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS," the Ulm University report stated.
Google is aware of the issue and is already in the processess of fixing the flaw.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," Google said in a statement sent to InternetNews.com "This fix requires no action from users and will roll out globally over the next few days."
The underlying security issue is not a new idea or technique. Josh Daymont, principal at security firm Securisea noted that what the Ulm University researchers found is a case of insecurely transmitted authentication cookies.
"This is a very old and well understood problem," Daymont told InternetNews.com. "The most interesting aspect of this finding is not the technical details of the weakness, but more so that it was around for so long without anyone noticing until now."
Daymont added that Web servers can set a secure flag to tell browsers to only send cookies over encrypted connections and this feature has been around for a long time to address just this issue.
Nishchal Bhalla, founder of Security Compass, said that he wasn't surprised such an authentication vulnerability exists. Over the years, he has come across many applications that send session tokens in clear text.
"At one point, even the Gmail Web application behaved this way by default; until they decided that the security risk outweighs the usability tradeoff," Bhalla told InternetNews.com. "The Google Android applications are following a similar path as the Gmail Web application, only this time the Android user does not have an option to opt-in for HTTPS."
Bhalla noted that it's unclear as to why Google did not catch this flaw earlier. He did say that, unfortunately, time-to-market pressures often result in security oversight -- as is indicated by the number and type of vulnerabilities that his firm discovers during mobile application assessments.
"While we dont know why the Android Google applications were developed in this way, its possible that they leverage the same Google API that is used by the Web application," Bhalla said. "I hope that this can be a lesson for all application developers to implement security controls as deep in the application stack as possible (e.g., in the backend API), instead of leaving it up to each front-end interface."