Following on from the concerns regarding location data in mobiles, new evidence discovered by German security experts at the University of Ulm has indicated that up to 99.7% of phones with the Android operating system are vulnerable to a serious data leak. Using an ‘impersonation attack’, hackers can access phones and view, modify or delete calendars, contacts and private pictures.
With the market share of Android rapidly expanding, and more than 400,000 Android phones activated every day, the potential risks for this leak are huge. Considering a vast amount of these phones are for business and corporate use, there is also the potential for industrial espionage or blackmail.
Hackers can exploit this loophole by stealing authentication ‘tokens’ used to identify the phone, then using this information to log on to websites as the legitimate owner, without their knowledge.
In a blog on the university website, the researchers explained:
“The adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user.”
“An adversary could change the stored e-mail address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
Mark Evans, director at IT services provider, Imerja, said:
“That such an enormous proportion of Android phones could potentially be leaking users’ personal data is shocking. Mobile devices are increasingly used for business, more so than laptops, and their security is essential to protect organisations against data breach or other ill-intentioned activities.”
“The message to companies is clear; mobile devices must be properly secured. They should be implementing robust and enforceable security policy structures to support effective mobile working, such as encryption.”
A spokesperson for Google said:
"We are aware of this issue, and have already fixed it for calendar and contacts in the latest versions of Android. We are working on fixing it in Picasa.”
Unfortunately, not all Android phones can be updated to the latest version (2.3.4.) and over 99% are still using previous versions, so the threat is still very real. Although the researchers did not find evidence of hackers utilising the leak yet, it seems inevitable that they will in time.
Google needs to ensure all versions of the operating system are secure against this risk, and all phones are updated automatically as a matter of course to avoid a privacy catastrophe which will rival the recent Playstation Network incident in terms of scale and scope. In the meantime, the Daily Mail lists some suggestions on protecting your Android phone.