Android Serious Security Flaw Lets Apps Send UnEncrypted Data


In an article posted a few days ago, researchers from Ulm University shows how Android apps which requires sync, sends encrypted data (AuthToken) to servers, but unfortunately data trasmited back to the android user goes totally unencrypted, data which hackers can exploit and steal important information.

Google announced that they are going to fix the issue also for devices with older Android versions. The fix does not require an update of the Android OS and will be transparent to the user.

Note: The fix will not prevent the reuse of already captured authTokens. So if you think that you were compromised, e.g., some contacts or events changed or disappeared, you should immediately change the password of your Google account. This will render all existing authTokens for this particular account useless.

According to SANS, this vulnerability affects more then Android devices, it affects any other application that uses the ClientLogin protocol over plain text HTTP is subject to similar attacks, however since Android is so wide spread it looks as the most critical target for a potential attacker.

So far Google delayed to announce a fix to this vulnerabilty, and until then, the only thing we can do to protect our data is to STOP all apps which requires synchronization to server, or we can upgrade to the latest 2.3.4 Gingerbread, since this version uses HTTPS (SSL to encrypt all data) for authentication.




  1. […] a week of crazyness regarding authToken flaw in Android, Google chairman Eric Schmidt promised at a conference in the United Kingdom in Privacy, […]


Please enter your comment!
Please enter your name here