99% of Android handsets have critical account credential security bug

A new report says that 99% of Android handsets have a security issue that leaves users’ account and password information accessible as cleartext, according to The Register.

The bug is in the ClientLogin service, which handles account security tokens in Android versions 2.3.3 and earlier.

When a user submits credentials for accounts like Google Calendar and Contacts, the Android software retrieves an authentication token from the service. This date is stored as cleartext for 14 days for any subsequent requests.

Attackers can gain access to this data, using the credentials to gain access to the users’ online accounts.

Google has patched this issue as of Android 2.3.4, but since many handsets aren’t updated quickly, this bug is still present on almost every single Android handset in the wild. Even in 2.3.4, however, the issue still exists with Google’s online photo service Picasa. Google says that a fix is in the works for this service.

This issue — while serious — drives the point home that fragmentation and carrier control of handsets is seriously hampering Android. Apple had an iOS update out to every user in just over a week to resolve the location-tracking bugs discovered several weeks ago. With Android, such a fast turnaround time for bug fixes simply doesn’t seem possible.

Article Via BGR

Stephen Hackett, formerly a Lead Mac Genius at Apple, now spends his days running the IT department of a large non-profit in Memphis, TN. He writes about Apple, design and journalism at forkbombr.net. Like all twenty-somethings, you can find him on Twitter. Oh, and he has a dogcow tattoo.