Google's Android mobile operating system is again in the hot seat after German researchers found that a security flaw causes nearly 100 percent of Android phones to leak users' secret account credentials.
Researchers at the University of Ulm explained that the problem lies in ClientLogin, a Google authentication protocol that verifies communication between Android phones and Google apps such as Google Calendar, Google Contacts and Picasa, as well as third-party Android apps such as Twitter and Facebook.
ClientLogin is designed to create an authentication token — basically, a digital spare key that stores your username and password — that clears the way for Android phones to send and receive data without having to login again.
Rather than sending these authentication tokens as encrypted, secure, anonymous files, certain apps send them without encryption, over http channels. As a result, anybody using one of several free networking traffic-monitoring programs can exploit the notorious insecurity of public Wi-Fi networks to intercept the authentication tokens.
"This means that the adversary can view, modify or delete any contacts, calendar events or private pictures," the researchers wrote. With your username and password, a hacker could also gain unauthorized access to your online bank accounts and other sensitive information.
According to the researchers, 99.7 percent of Android smartphones are vulnerable to this type of attack.
Even more frightening, the authentication tokens that enable these identity thefts remain valid for 14 days, allowing Android attackers "to comfortably capture and make use of tokens at different times and location," the researchers said.
The university researchers urge Android users to immediately update to Android version 2.3.4, and turn off the automatic synchronization feature in the settings menu while using your phone on an open Wi-Fi network.
This new exploit casts yet another shadow on Android: between infected apps and a 400 percent increase in malware since last year, Google is having a hard time keeping its increasingly popular smartphone platform safe.
In response to the growing incidents of security threats targeting mobile users, AT&T has announced plans to launch a consumer security service for mobile users next year.