Android OS Authentication Hole Enables Impersonation Attacks

The flaw, which was first detected by researchers from the University of Ulm in Germany, occurs in the way that Android apps use the ClientLogin authentication feature to access any number of Google services, including Google Calendar and Contacts.

"We wanted to know if it is really possible to launch an impersonation attack against Google service and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," Ulm researchers said in a blog post.

The ClientLogin is an authentication protocol used by installed applications and other Android apps. To use the protocol, the ClientLogin requires a request for an authentication token (authToken) from users wanting to access the the Google service by providing an account name and password via an https connection. Once obtained, the provided authToken can be used for any other authentication request to the service API for up to two weeks.

However, if the authToken request is sent over an unencrypted http connection, hackers could sniff out the authentication token, and subsequently use it to capture any personally identifying data made available through the service API. Google Android version 2.3.3 and lower uses the less secure http connection for authentication.

Hackers could then easily initiate impersonation attacks on users who are connecting with Android OS on any open or public wireless network, or by setting up fake WiFi access points with a common SSID of an unencrypted wireless network, and lure users to connect to it. The attacker would start capturing authTokens for each Google service that the unsuspecting user accessed.

In a successful attack, hackers could gain full access or impersonate the user to commit identity theft, or to launch more malicious attacks. Once attackers infiltrated the victim's Google accounts, they could steal private information stored on the victim's Google Calendar, such as e-mail addresses, phone numbers or home addresses. They could also make subtle changes to the information, such as discreetly changing an e-mail address so that sensitive or confidential company information is unknowingly sent to someone else.

"If the attack is just forwarding traffic, (and extracting authentication tokens,) the victim will never even know what happens," said Bojan Zdrnja, SANS Institute researcher, in a blog post. .

Additionally, the flaw enables hackers to execute ARP poisoning attacks, even on encrypted wireless networks, if the attacker can connect to it.

Once an attacker has successfully obtain the authToken, they could use the obtained credentials to access victims' Google accounts in repeated attacks for another two weeks.

"What's even worse, the token is valid for 14 days, so once it has been acquired by the attacker, it can be easily used in the future," Zdrnja said.

The issue isn't only limited to Android, but any application that uses the ClientLogin protocol over less secure HTTP connections. However, Zdrnja said that the popularity and ubiquity of the Android platform makes it particularly susceptible target for attackers.

Later versions of Android use the more secure HTTPS protocol for authentication. Subsequently, security experts recommend that users update Android to version 2.3.4 on their phones, or higher, in order to reduce the risk of attack.