Is Your Android Device Secure? New Vulnerabilities Raise Serious Questions (Part 2)

android iconEver heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that.

Next, what is the “weblogin Token,” and how does it affect my security…

(In Part 1, I discussed the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.)

If you have an Android device, odds are you use that device to log in to a Google account somewhere.  Be it Gmail, Google Calendar, Google Drive, or even Google Apps for Business, you probably log in using your Android device. For good reason: Google offers you an easy way to log in to all of your Google sites through your Android device through their “weblogin” program.

The weblogin program works by creating a unique “token” on your device when you sync it up with your Google accounts. Any time you access those Google accounts from your Android device once the token is set up, you are automatically authenticated and given access. As a feature, it’s ideal because it helps us in two ways: 1) it makes the overall use of the device faster by taking away steps in the process, and 2) it gives us another way to avoid having to remember all of our passwords to everything we have (a VERY human desire that, as I will discuss in a later post, is truly our biggest security issue).

Nothing That Is Easier Is Also Safer

Unfortunately, like anything else, by making access to your Google accounts easier for you, they’ve also made it easier for hackers. At the recent Defcon Security Conference in Las Vegas, Craig Young, a researcher for the security company Tripwire, Inc., demonstrated how easily the Weblogin vulnerability could be exploited, and raised some other serious questions about the actual capabilities of Google’s anti-malware screeners.

To demonstrate his findings, Young developed what is called a “proof-of-concept” app and uploaded it to the Google Play Store. The app was listed as a stock-viewing app, to be used in conjunction with Google finance. However, once downloaded onto an Android device, it would access the user’s Weblogin Token for Google Finance, and send it back to the hacker. What Young learned is that the token generated for Google Finance allowed him access to ANY of the user’s Google accounts.

If the account holder is the administrator of a Google Apps for Business account, things can get worse.  With access to the Google Apps account, a hacker can force-download apps, change passwords for Google Apps accounts, change access and admin permissions, create and modify mailing lists, and even add privileges for new or other users. A scary prospect for business owners.

Bouncing Google’s Bouncer

Ok, so that’s pretty bad. What he found while testing his app may be even more frightening, and have significantly more far-reaching implications. His app was clearly labeled as malware, with explicit instructions for anyone on Google Play to avoid downloading and implementing it.  He was trying to test his theory, not steal actual Weblogin tokens from innocent downloaders. Well, the app, which included the word Malware in its basic description, was allowed to remain on the Google Play store for over a month. There is no evidence that, during that month, Google’s anti-malware scanner, called “Bouncer” (released to significant fanfare in February) ever scanned the app to determine if it contained malicious software. Possibly worse, if it did scan the app, it did not detect the malicious nature of the app, calling the effectiveness of Bouncer into serious question.

While the Weblogin token vulnerability is significant, Google, which was informed about the vulnerability in February, has taken some steps to limit the ability of hackers to access some accounts using a stolen token. However, Young demonstrated that one of the fixes Google claimed to have made, restricting access to Google Takeout information, is still easily obtained using a stolen Weblogin token.

[poll id=”4″]The bigger concern for users of Android devices should be Google’s apparent inability to detect an app with malicious software even when the description of the item identifies it as malicious. Some might argue that the app was essentially hiding in plain sight, but that’s a bit ridiculous to me. (It is notable that most of the available antivirus program for Android did not detect the malware either.) Considering the fact that Android continues to gain market share in both the smartphone and tablet industries, Android will continue to be a gigantic target for hackers. With the effectiveness of Google’s own security systems in question, owners of Android devices will have to be particularly vigilant, and take steps to protect themselves…

(To be concluded Friday, when I will discuss the example of the HTC One S, and how owners of Android devices can better protect themselves from hackers and malicious software)