Wednesday, May 18, 2011

Android and the long-lived authToken



I was very disappointed to hear about Android sending long lived (~2 weeks) auth tokens in the clear for Google services...very similar to the Facebook/Firesheep issue. There are a few writeups, but the research was originally done by Ulm University (http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html).

This specific vulnerability is addressable by server-side changes to enforce SSL when exchanging the tokens. I'm glad to hear that Google is moving forward on fixing this side of things. People are also saying it's only exploitable via WiFi, but I wouldn't be surprised to hear some type of 3G snooping as well.

BUT, this brings up major concerns that the Operating System versions for Android are so fractured, and ultimately are controlled by the wireless providers. Even though the latest version of Android don't exhibit this behavior, the mobile phone companies continue to drag their feet pushing the updates. This is akin to vendors which only support IE6...they drag their feet because they can. I think larger customers need to push back that we need prompt patching (or the ability to self-update!)

3 comments:

  1. Well put! I agree that there really is no excuse for dragging their feet fixing this security issue. In these days of urging customers to do on-line banking and purchasing, such as Amazon, via their smart phones, it really doesn't seem like the smart thing to do until this and other security problems are solved.

    ReplyDelete
  2. We seem to forget there are also choices that make us dependent on a wireless provider for _only_ service and not extra junk that they shouldn't be involved with in the first place.

    Spend the cash, buy an unlocked Android phone (like a dev phone from Google!). Mod it up, trim it down, patch it up, keep it current, roll your own core code, balance the universal chi! Give the wireless providers the finger with regards to their bloat-filled phones.

    ReplyDelete
  3. -1: Indeed that is a possibility, but it doesn't scale well for the general population...

    Unless the US goes the direction of other countries (non-subsidized phones). At this point, it's a culture of subsidization, where people are generally less willing to pay more for the same phone.

    ReplyDelete