Tut tut, NO

Sorry, I'm being a bit slow and struggling to understand the story here. I've got as far as, "tokens" are sent to authenticate my identity and keep me logged in to sites such as, for instance, Digital Spy. And if I do this across open Wi-Fi, someone could pick it up and use it to log themselves in.

However, what I don't get is... doesn't every phone do the same? Surely authenticating details being sent and intercepted across open Wi-Fi is a problem for all browsers on all phones? Or is it specifically the way Android's browser handles these that causes a problem?

totally agree with you. IPhone, over priced and for sheep! lol

Yeah it makes me laugh too for pretty much the same reason. Whilst the tone of the OP was clearly looking for a reaction from Android users it comes as no surprise that some of them have chosen to basically stick two fingers in their ears and go "la la la la I am not listening" at their OS having an issue.

The only surprise so far in this thread is that moox hasn't shown up to join in the denial yet

Hmmm...

So far i cant see anyone denying an issue whatsoever. However, its basically a non issue anyway considering if you use an unencrypted wifi network your a daft arse anyway and deserve what you get!!

Not quite, if you are transferring a critical information in your programme, you as a developer/designer have to make sure you do not expose it, you have to use an encryption and not expect that the channel will be (probably) encrypted. Not doing so is reckless, saying the user is stupid, because they used an open network is laughable.

Brilliant. In your first sentence, you said nobody had denied there being an issue. Then you immediately went on to deny it being an issue.

No i didnt. I said its an issue, but not a serious one.

Learn to read please.

No you didn't, you said it was a "non-issue".

Sorry i cant make heads nor tales of your post.

Not sure whether your saying the developer should use encryption or not.

For Christ sake!!! I said it was BASICALLY a non issue. Thus its an issue but not a serious one......

Again learn to read for gods sake.

That bad? I am saying if you are working with a critical information you have to do everything to prevent anybody to take it from you. Encryption is means for that. They left it all in the open, relying on that the network provides its own encryption. That's a very bad habit. I wonder how many such cases are still present in Android code. People use open wi-fi networks all the time, you have to make sure your programme is safe, not just safe most of the time.

Haha! No, wasn't that bad!

Have to admit i use someone's open wifi connection when im standing at the bus stop but as said in the news article, it may have been discovered, but as yet its not thought anyone is using the vulnerability.

I guess there are two things here. I would agree that, when you use unsecured wireless networks (which I do when out and about), you accept the risks that are inherent with such a connection. But developers should make sure it isn't quite so easy to exploit. Anyway, this is something that Google can fix server side, so it'll probably be sorted in the next few days.

Open reporting of security holes is counter-intuitive, I know, but it's in the public interest that people and businesses should be aware of risks and producers should have an incentive to fix the holes before damage is caused.

All systems have design bugs. Open systems like Android are easier to audit for security and the more eyes on the code the better. Paradoxically the best thing that could happen to the security of open source systems would be for Apple, Microsoft, Oracle and other vendors of closed systems to spend a lot of money finding and exposing security holes in open systems.

Well the point is that you and I can look at the Android code for ourselves so we don't have to sit and wonder. I don't say that Apple and Microsoft are particularly bad at security but their code undoubtedly contains security holes that are not known to the public because their code is mostly closed.

Criminals and hostile military entities will expend considerable effort to find and covertly exploit such vulnerabilities, so the closed source model actually plays into their hands by keeping them out of the public consciousness. At least with open source systems the chance of vulnerabilities being quietly exploited by malefactors without being identified and fixed is lower.

ZDNet has clarified - without the scaremongering.

I have an Iphone 4, ( Bought for £200 )
Contract of 500 mins, unlimited text, unlimited data T mobile for £8 a month.
I'm happy.
Had an Android, take away the customisation function, and your left with nothing much.
In my view, Apps make the phone and this is where the Iphone soars above the rest.

I stopped reading when I saw that it was from the mail.

iPhones have had their fair share of issues too. All these devices will, it is a constant battle between the technologies and the people looking to manipulate loop holes.

That being said I will stick with my iPhone. Although I do have an android phone for work

Android does practically everything (if not more) as the iPhone, you pay for the brand, the apps on Iphone/Android are practically identicle

I have an X10i not the most popular phone BUT I just upgraded it to 2.2 with custom Firmware and it can easily keep up with the latest releases, I'm not into the "must have" tech all I want is something that works and does what I need it to, the X10I does that (just like HTC/Samsung etc etc) and pay less than I would for an "apple" every OS has security flaws, its the nature of the beast, there is nothing 100% unbreakable closed operating systems maybe less prone, the hackers just go for a better exploit, people need to chill out and ignore the pathetic scaremongering

For this you don't necessarily need the source code, you just listen to communication and analyse if you get something interesting, same can be done with iPhone or WP7. Open source is lovely, but how many people have time or ability to critically read it. And you still get people who programme the way it was done in dark ages of computing when people relied on the kindness of strangers, it's alarming. These are some basic rules, the programmer should know, that they cannot use unencrypted transfer for anything concerning security. MS is still paying for being blasé about security in the past. This looks like repeating of the same mistakes. I do not want to make it into big issue, but if the programmers ignored this or had no clue at all, then it's not good.

I agree with you completely on the security problem that has been identified here.

My point is that for Microsoft and Apple and Oracle we can only trust and listen carefully to traffic. We can't look at the code except for a few notable experiments.

Open source code lets you spot the problem *before* it hits you in the pocket. What would you rather do, trust in a company to always spot such problems or trust in the millions of people to the internet to spot them? Historically the random guys on the internet have the edge.

This is not to say that Microsoft, Apple and Oracle are doing it wrong. But they've all been slow to learn how to compete in the long run against open source systems. The result is that a credible open source competitor has arisen.

I note that the Daily Mail piece refers to the discovery as originating at the University of Ulm. A brief search turned up the following article at the University's website:

Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub.

I need to make a significant correction to my earlier statement. The security hole does not lie within the core code of Android, the open source part, but in a protocol known as ClientLogin. This is designed to be used over a secure connection (https, or SSL as it is sometimes known). Some systems, though, including some of Google's own applications such as Contacts and Calendar, have been using this protocol over plain unencrypted http which means the security tokens can be read and used by a hostile third party.

The fact that the authorization tokens were being sent unencrypted was discovered by Dan Wallach of Rice University in Houston. Using a packet sniffing tool called Wireshark (formerly ethereal) and a transparent TCP and UDP proxy called Mallory, Wallach and his undergraduates determined that:


So this security was discovered by examining Android systems in operation over an open wireless connection. No source code was examined.

Wallach also found significant vulnerabilities in the Facebook application for Android.

The University of Ulm article ends with these recommendations for Android users:

What Android users can do:[LIST][*]Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future. [*]Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.[*]Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)[*]The best protection at the moment is to avoid open Wifi networks at all when using affected apps.[/LIST]

Great, but how do you manage with such a small screen to see anything? My experiences with an iPhone were trying to peer through a letter box, totally inadequate and sooo last decade. Also it weighed an absolute ton. Like carrying around a brick. I hope for Apples sake they address these issues and make the screen at least an adequate size and learn how to use light weight plastic material rather than old fashioned heavy metal.

Hardly a standard contract, as for £10 a month you get 100 minutes and not unlimited text, and some form of limit on the internet but not totally clear.

Never mind that you magically got an IPhone for a lot less than general price (the cheapest used one at CEX is £370 for example, not that they are the best for used prices but it is a good marker for someone claiming to have got it for half that price).