An Android personal data leakage epidemic has just been revealed. The vulnerability affects 99% of Android phones and may allow hackers to steal your Facebook, Google Calendar, or other personal data if you use a rogue open Wi-Fi network. Here's how to protect yourself.


Android's Personal Data Leakage Problem I own an Android. You own an Android. Heaps of people own Androids. But apparently 99 per cent of… Read more

The vulnerability affects apps that use an authentication protocol known as ClientLogin in Android 2.3.3 and earlier. The ClientLogin API is supposed to tighten security and improve performance of apps, because Google's servers only need to validate your login information once, and your username and password are sent only once; afterwards, the app uses a token instead.


However, unless your device is one of the 1% with Android 2.3.4, those credentials—for Google Calendar, Twitter, Facebook, and other accounts—are submitted in the clear. This can give attackers access to those accounts if you unwittingly connect to an unencrypted wireless network set up by the atttacker.

An attacker only needs to set up a Wi-Fi access point with a common SSID name, such as "starbucks" or "attwifi" (an evil twin network), and when your Android phone tries to automatically connect, the hacker can capture the authentication tokens for your accounts.

G/O Media may get a commission Subscribe and Get Your First Bag Free Promo Code AtlasCoffeeDay20

The best recourse here is to turn off automatic Wi-Fi connections and use 3G or 4G mobile service rather than an unsecured wireless network. If you do need to use Wi-Fi at a hotspot for some reason (e.g., you have a Wi-Fi only tablet), use something like the recently covered SSH Tunnel app, which creates a secure connection between your device and a server to keep data safe from prying eyes. As a very last resort, manually connect to an open Wi-Fi network only after verifying it's the real deal.


Further details on the vulnerability (which is pretty much like the Firesheep vulnerability but for mobile) are below. You can also read up on how to stay safe on public Wi-Fi networks (for laptops, but settings may also apply to your other mobile devices) and why you should avoid "free public Wi-Fi". Photo by Johan Larsson.


99% of Android phones leak secret account credentials | The Register