Wednesday, May 18, 2011

Major security flaw in Android phones

A team of security researchers from the University of Ulm (Germany) this week revealed the existence of a major flaw in the way Android, the operating system for mobile and Google bars, manages the multiple authentication services. The flaw could allow third parties to connect to the Google account user without his knowledge.

The vulnerability comes from how Android handles "tokens", the digital equivalent of an emergency key which avoids having to continually reconnect to a service. Up to version 2.3.4 of Android, calendar and contacts sync automatically phones using these tokens to connect to a Wi-Fi already known.

By setting up a Wi-Fi parallel third can theoretically recover those keys back and connect to the Google Accounts that attempt to connect to the network. Pending a fix for this vulnerability, researchers recommended to pass, if possible, to version 2.3.4 of Android, and disable the automatic synchronization of contacts on the Wi-Fi open (in the menu Preferences).

No comments:

Post a Comment