99% of Android phones leak secret account credentials, other sensitive data

“The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned,” Dan Goodin reports for The Register.

“The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said,” Goodin reports. “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.”

Goodin reports, “Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google’s own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-called sidejacking exploits that steal authentication cookies.”

Read more in the full article here.

MacDailyNews Take: Yup, if you don’t have an iPhone, well, you don’t have an iPhone (or data security).

[Thanks to MacDailyNews Readers “Fred Mertz,” “Dow C.” and “Sarah” for the heads up.]


  1. Leak? Doesn’t Google see the theft of personal information as their right? When has Google ever respected the law?

    Your free & open Android OS comes with virus & malware preinstalled.

  2. I guess all those fandroids don’t mind their personal information stolen through Android, but do mind if stolen through iOS. To them, a thief is not thief if stealing happens on Google’s turf.

    1. On the other hand, despite the ‘tempest in a teapot’ BS about Apple’s never transmitted anywhere hub and cell tower location data file, I don’t mind Apple getting kicked in the butt from time to time if the result is better technology. And iOS 4.3.3 is better technology.

      Now if only the stooopid US government would get some tech savvy and stop pestering the WRONG company about privacy violations. They could also use a HUGE WHOPPING MIRROR! (aka the unconstitutional so-called ‘Patriot Act’)(And if you haven’t actually read the thing, don’t bother disputing this fact).

  3. Your headline is VERY MISLEADING! and patently false! It is not true that 99% leak, that they are *subject to leaking* is clear, that they are *vulnerable* is clear, but you have given no evidence that any malware has actually exploited this, at least not in 99% of the cases.

    Hence it is patently false that “99% of Android phones leak secret account credentials, other sensitive data”

    I am not an Android fan – but I hate stories that twist the truth.

    1. Errr… sorry, but the headline is correct. They DO leak account credentials by QUOTE : “an authentication token that is sent in cleartext.” (end quote). The question if it’s misused or exploited is irrelevant. A leak that isn’t exploited is still a leak.

    2. It’s way more than a vulnerability. It has been compromised already by University researchers.

      I don’t know about your experience, but in my world, most University researchers don’t have next weekend’s beer money yet. I wouldn’t trust them with my Visa card number and expiry date.

      No wonder most Android phone users steal Apps instead.

    3. I believe this is the same kind of vulnerability the Firesheep extension exploits – the lack of an https connection results in login credentials which can be hijacked. So the headline is indeed accurate.

  4. They need to release a specific security patch to address this and then OTA update all the handsets. Plain and simple.

    Expecting an OS upgrade (which may or may not happen depending on device) is ridiculous on Google’s part.

    1. “Plain and simple” does not go along with Android and the multitudes of different handsets floating around out there. Google can’t just release the update, it has to be released by the manufacturer and tested so that it doesn’t interfere with the manufacturer’s implementation of Android.

      Of course, with an iPhone is it “plain and simple.”

  5. I wouldn’t be surprised if the Apple iPhone had the same issue to be honest because Apple are much better at covering things up although I do think that Apple iPhone data is likely being sold to certain unwanted people by Apple rather than open source data being sent about on Android.

    Have fun Apple fanboys/girls. Apple are the real monsters here, you just haven’t realised it yet. Your Apple-rose-tinted glasses will keep you with them for years to come until they ruin you.

      1. Err I’m a Brit and I love Apple as do many others so your jejune comments are both wrong and insulting. If I were you I’d wind your neck in before you make yourself look completely idiotic.


    1. Do you even think for a second that if Apple had something remotely close to this that the media wouldn’t blow it up and it wouldn’t be front page everywhere. Apple gets murdered when there is anything wrong or could be anything wrong. Google slides all the time on these issues, even though there seems to be a large amount of these stories these days.

    2. Wow, that’s some accusation! You “think” that Apple is selling our data to “certain unwanted people”, but that Google isn’t, even though Google has admitted to designing Android to transmit private, personal data to Google several times an hour and Apple has patched iOS to prevent that from happening.

      Any proof, or would you like to throw out some other conspiracy theory about how Apple watches my every move via my iSight camera on my iMac, just to hopefully catch me inputting my credit card number on an Amazon order?

      Also, if I’m being ruined by my iPhone, BRING ON THE RUIN!!!! I WANT MORE!!!

    3. “…you just haven’t realised it yet”

      Ooooo! Scary FUD!

      Think I’ll run out and get a hemorrhoid phone right now!

      Watch the Senate hearings kids. Google’s going to get ripped a new one while the Senators turn red from bothering to call in Apple at all.

      TardyTroll Skypirate. Naughty naughty! How much are they paying Trolls-For-Pay these days?

  6. Yep, I’ve owned an Android phone, and while the hardware is sometimes better than the iPhone, iOS is so much more secure than Android. Also, the quality of apps is no contest. iOS is way ahead. Its mostly because of Apple’s stellar SDK for iOS. It makes developing apps much easier, and they look more professional.

  7. “Google patched the security hole earlier this month…, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels.”

    Is Google the NEW Microsoft?

    With respect to security: DAMNED RIGHT!

    And I’ll be singing to my friends that I’m “Google-Free!”, just like I’ve been singing since 1992 that I’m Microsoft-Free. :mrgreen:

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.