19 May 2011
The temporary flaw was embarrassingly discovered by three research assistants at Ulm University in the southern part of Germany and currently affects about 97% of Android users.
The funny thing is that the problem stems from a simple security flaw that leaves users susceptible to attack when they are connected to unencrypted Wi-Fi networks.
Essentially anyone else on that network could gain access to, modify or delete Android users’ calendars, photos and contacts information.
The easiest way to explain the flaw is to use interweb banking as an example – virtually all interweb banking is done over what is referred to in interweb jargon as HTTPS, or Hypertext Transfer Protocol Secure.
Currently Android is vulnerable to compromise because it uses the usual interweb interface of HTTP or, Hypertext Transfer Protocol, which is not as secure as the encrypted HTTPS network.
“It is quite easy,” the researchers explained in one of their blog posts, “The implications of this vulnerability reach from disclosure to loss of personal information.”
Essentially data can be accessed by applications or extensions of the operating system that collect data broadcast over unprotected Wi-Fi networks and which allow, for example, access to other people’s Facebook accounts.
Cleverly, Google was able to fix the problem quite easily on its end and avoid further embarrassment by adding the simple prerequisite that requires an HTTPS connection for calendar and contacts synchronisation instead of an unsecured connection.
Apparently this adaptation to their servers has avoided a notoriously tedious Android update process and all shall be OK in a few days time.
The modest researchers also took the opportunity to suggest to Google that they in future prevent Android devices from automatically remembering and logging onto unencrypted Wi-Fi networks.
[Source: CNNMoney]
No comments:
Post a Comment