Researchers show Android devices susceptible to eavesdropping


( -- Following up on research done by Dan Wallach of Princeton University, that suggested Android devices were susceptible to an eavesdropping risk on open WiFi networks, German researchers Bastian Könings, Jens Nickels, and Florian Schaub have shown that by using commercially available software (Wireshark) they were able to listen in on an open WiFi network and gain sufficient information to impersonate a legitimate user. Posting their results on the University of Ulm website, they describe how they were able to obtain access to Google calendar and contact data as well as Picasa images via the capture of authentication tokens.

In a February 22nd University Center for Information Technology Policy, blog post, Wallach, remarked on how as part of a security class he was taking, he discovered that by sniffing data traffic coming to and from his Android smartphone using both Wireshark and Mallory, he was able to easily see Google calendar transactions and how easy it would be for someone to grab some of that information to impersonate him on Google applications.

The German research team, after seeing what Wallach had found, decided to look a little deeper; they found that because phones use tokens, called authTokens, that allow legitimate users to remain logged into certain Google applications for up to two weeks, that are unencrypted; nefarious characters listening in could capture those tokens and then use them for their own illegitimate purposes, such as scraping calendar information, contact email addresses or to view private images in Picasa.

In some respects, many might not see such a breach as all that big of a deal; it’s not like Google is passing around bank account codes willy-nilly, but, that’s beside the point. What’s important is that , a huge company with vast resources and staffed with some of the best in the business, clearly knew and understood what it was doing when it chose to use plain text messaging as the means for transmitting it’s authTokens; a move that demonstrates wanton disregard for the privacy of it’s user community; something that the company is already in hot water over due to the recent discovery that it has been tracking users movements via GPS.

Researchers show Android devices susceptible to eavesdropping

And while this issue will eventually go away as users upgrade the software on their phones, something else is rather important here, and that is the means by which this news has come to the fore, i.e. through a grad student taking an undergraduate course, basically just fooling around with sniffing software. This quite naturally begs the question of, what else is at risk? If there is no organization or agency testing the products that are sold by huge companies to users, how can we know that the things we do are safe from those who might wish to steal our data, impersonate us, or worse use the things they find against us, such as disseminating embarrassing pictures we thought were safely tucked away under password protection on ?

Explore further

Google adds voice and video to Google Talk on Android smartphones

© 2010

Citation: Researchers show Android devices susceptible to eavesdropping (2011, May 18) retrieved 22 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

May 18, 2011
Let's just say if you don't trust someone completely, don't leave your droid around them unattended....

May 18, 2011
This article states the obvious.
FACT: Any device on an open or any WEP and WPA with a weak password can be sniffed due to arp poisoning attacks, even SSL can be sniffed easily.

May 18, 2011
This comment has been removed by a moderator.

May 18, 2011
No body seems to care but the whole idea is to make all your private info available so it can be taken and sold and used against you.
All those face-book people think that they are not paying for it.

May 18, 2011
Would like to add, the best thing you can do to keep your wireless network safe is use a WPA/WPA2 variant with a strong password(upper/lowercase and numbers).

May 18, 2011
@Luckybrandon, how fast can you break wpa? While its true, you can capture the wpa handshake, it will take you years, even using rainbow tables, if the password is strong. a good password is key. Therefore wpa is fine as long as you have a good strong password, wep as I said before is pretty much broken and should rarely be used. SSL can be stripped with ease and worked around, I'm certain you can find a YouTube of someone doing this. I personally use SSLstrip when I audit to accomplish this.

May 20, 2011
@LuckyBrandon. or google "backtrack" you should give this Linux distro a look, its a pentesters dream. Made my job 100x faster, has almost everything you need. Certain it will do the same for you.

Jul 03, 2011
i was at the the verizon store looking at a new smartphone (Android) and the sales rep indicated that the phone stores both the contacts and calendar data into the (internet) cloud (e.g. on some Google site). Given that you need to "sign" the google gmail agreement to use the phone and that this agreement states that all information on the google server they have access to and may use without further consent from the user (e.g. me); does this not pose a security risk and the possibility that google will use data from the phone or distribute it to their advertisers? I dont want google or ANYONE else to see, use, or have any access to my contacts or calendar information, as well as any other data received, transmitted, or stored into my phone (e.g. call log data).

also, what prevents an app (e.g. PC tethering) from collecting data and sending it to a secondary internet address (not one that I intend to be connected to)?

what are the protections from viruses and spyware?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more