Wednesday, May 18, 2011
Android and the long-lived authToken
I was very disappointed to hear about Android sending long lived (~2 weeks) auth tokens in the clear for Google services...very similar to the Facebook/Firesheep issue. There are a few writeups, but the research was originally done by Ulm University (http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html).
This specific vulnerability is addressable by server-side changes to enforce SSL when exchanging the tokens. I'm glad to hear that Google is moving forward on fixing this side of things. People are also saying it's only exploitable via WiFi, but I wouldn't be surprised to hear some type of 3G snooping as well.
BUT, this brings up major concerns that the Operating System versions for Android are so fractured, and ultimately are controlled by the wireless providers. Even though the latest version of Android don't exhibit this behavior, the mobile phone companies continue to drag their feet pushing the updates. This is akin to vendors which only support IE6...they drag their feet because they can. I think larger customers need to push back that we need prompt patching (or the ability to self-update!)
Posted by Adam at 7:56 PM