Google moves fast to plug Android Wi-Fi data leaks

'Impressive,' says mobile security expert on Google's quick move to fix flaw

1 2 Page 2
Page 2 of 2

Google declined to specify how it's addressing the problem, but the German researchers had posed several ways the search giant could plug the security hole.

Among them, Google could modify its services to "reject ClientLogin-based requests from insecure HTTP connections to enforce use of HTTPS," said the researchers, referring to the encrypted data transmission used by online retailers. "HTTPS is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs."

Lookout's Mahaffey suspects that that is exactly the route Google is taking.

"I haven't seen exactly what they're doing," said Mahaffey, "so I can't speculate much, but one solution would be to make it so that authentication tokens aren't sent in the clear anymore."

Paquette assumed the same.

"My guess is that the ClientLogin Protocol had an option that allowed clear text over HTTP, and that Google disabled that on its end by having it say, 'Our end is always going to say "No" to that.' When that happens, the client will decide to send the authentication request encrypted."

While Google could have applied the same fix to the client side -- to each Android phone running an older version of the operating system -- the faster solution was to do it on the server side, Paquette said.

"It's possible that the newest [version of] Android doesn't even offer that [clear text] option," speculated Paquette when asked why only older editions of Android were affected.

HTTPS has been in the news several times this year, as major Web-based services have added it as an option or made it a requirement in an attempt to prevent password theft at unsecured Wi-Fi hotspots.

Last March, for example, Twitter added HTTPS as an option to its users.

Some of those moves were in reaction to last year's release of the "Firesheep" add-on for Mozilla's Firefox that let "pretty much anyone" scan a Wi-Fi network and hijack others' credentials for Amazon, Facebook, Google, Twitter, and other services.

"Right now, we're in a transition period," said Mahaffey, talking about the move from unsecured HTTP to the encrypted HTTPS. "It's taken the industry a while, but with the amount of data stored in the cloud, being moved to the cloud, it's very important that HTTPS be required."

Google is still investigating the authentication issue during synchronization between Android phones and its Picasa service.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon