The Recycle Bin

A repository of comments, code, and opinions.

Posts Tagged ‘android

Public Wi-Fi Dangers with Android Phones

leave a comment »

Turns out there is a nasty vulnerability affecting pretty much every Android phone out there.  Since it involves connecting to public Wi-Fi networks it seems like a good follow post to one of my previous post.

Here’s how it goes: When you connect to a site like Facebook for the first time, you exchange your credentials with the site and in return the site generates a unique session ID.  After the credential exchange, all you need is your session ‘token’ to authenticate with the site.  This token is only valid for a period of time (configured by the site, some are 30 minutes, 2 weeks, some never expire).  This allows you revisit the site and remain logged in with out entering your credentials every time.  Android phones are set by default to automatically reconnect to Wi-Fi networks that they have already connected to.  Once connected, the apps on the phone automatically connect to their corresponding web service, either exchanging session tokens or real usernames and passwords.

Here is what an attacker can do:  If a person has connected their phone to a common public Wi-Fi hotspot, say Starbuck’s Wi-Fi, whose SSID just happens to be “Starbucks” then the next time their phone sees a network named “Starbucks” it will automatically connect to it.  All an attacker has to do is set up a malicious hotspot near a real one, name it the same thing, and wait for the phone to come into range of the network and automatically connect.  Once connected, they can grab session tokens and then they can operate on that site as that user, as well as eavesdrop on what is being sent to the service. 

Since most sites only use SSL for logging in, your user name and password for the service is protected.  However, there is a pretty good chance that the site does not use SSL for the rest of the session and simply sends the session token in plain text.  The problem is that Android will reuse the session tokens generated while the phone was connected to the previous trusted Wi-Fi network, mean that your session ID is free game for anyone to use.

Best way to mitigate this is to shut off the option to automatically connect to networks that the phone has already connected to.

Much more detail here: http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

Written by Nathan

May 19, 2011 at 10:39 am

Posted in Security

Tagged with , ,