Android applications can acquire a security token from the ClientLogin authorization process. This token (known as authToken) is then passed back to the device and with its presence the device is authorized to make changes to the user’s Google account. The problem is that this authToken can then be sent from other applications, unencrypted allowing for the authToken to be “sniffed” and stolen over an open WiFi network. The authToken is valid for a whole 2 weeks and is not bound to any specific device, service, or session. Therefore once the token is taken, a “hacker” could potentially steal, modify, or erase the user’s Google contact and calendar dataThe exploit which was patched in the latest version of Android is just the most recent example of what is wrong with Google's operating system as it is now and it doesn't necessarily reside solely with Google. Like I said the issue was patched by Google but unless you have one of the few Google branded phones out there (like .3% of the Android phones) you haven't seen the update yet and many of us likely never will. And there is where the problem is.
Google updates Android quite frequently, in fact that latest version of Android, Gingerbread, has been out for almost a year and updated several times since then. Unfortunately though if you were to look through Verizon's stable of Android phones, not one is available with Gingerbread installed including their wallet busting 4G "super phones" the Charge and the Thunderbolt. Ouch...
As an outsider looking in it appears that the OEM's seem to be more concerned with putting their update killing Skins on a phone, ie. Motorola's Blur, Samsung's Touchwiz, and HTC's Sense, than keeping the operating system they run on current. Then if they do get around to updating we still have to wait for the cell carriers to test and add their bloatware before finally get around to pushing it out to our phones. Finally the OEM's are doing their best to make it more difficult for us to do what they seem unwilling to do, update the OS on our own because of their decision to lock down the boot loaders making root access difficult if not impossible. Sounds like a malicious hacker's dream situation, an immensely popular operating system that is rarely updated.
So what is a Verizon Android lover to do? We don't have access to a Google Nexus phone with it's consistently updated operating system and even buying a new phone doesn't guarantee getting the latest OS (is it really a new phone if it runs an outdated OS?). All we can hope for it seems is that Google uses its considerable clout to steer the OEM's and cell carriers towards doing what they should already be doing, updating their products.
If and until that happens security flaws like the one exposed yesterday will continue to be an issue even after being exposed and Google will sooner or later become a security joke on par with Microsoft of years gone by. Eventually, and it truly pains me to say this, the security conscious among us might be forced to embrace the closed system provided by that company with a fruit logo.
Please Google, help us.
UPDATE: Google says it will be sending out a server side patch to fix this latest security issue.
Oh thanks, i appriciate that!
ReplyDelete