Attacks/Breaches
8/5/2013
01:44 PM
50%
50%

Android One-Click Google Apps Access Cracked

Hackers could intercept Android users' unique authentication token and gain unauthorized access to Google Apps, Gmail, Drive and other services.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Android smartphone and tablet users: Beware attackers who come gunning for a Google-issued authentication token that allows your device to automatically log into Google Apps, Gmail, Google Drive, or any other Google service.

That warning comes by way of Tripwire security researcher Craig Young's Saturday presentation at the Def Con information security conference in Las Vegas, in which Young detailed how a "weblogin" token issued by Google to Android users -- each token is unique -- could be intercepted and abused by an attacker.

A weblogin token allows an Android user to log into a desired Google service in lieu of having to enter a password. Accordingly, any attacker able to obtain a user's token could access any Google service that the Android device is configured to use. Furthermore, any attacker who gained root access -- using malware -- or physical access to an Android device would likewise be able to retrieve the token and gain carte-blanche access to any Google service authorized for use on the device, including Google Apps, Gmail and Google Drive.

[ Feds urge all website operators to check for crypto attack vulnerability. Read HTTPS Hackable In 30 Seconds: DHS Alert. ]

"Android trades security for convenience," said Young, noting in a blog post that he discovered the vulnerabilities after reviewing the Android API. That led him to quickly prototype several iterations of Android applications designed to mislead the user and gain complete account access without passwords or two-step verification codes.

In addition, Young said, "I found several attack vectors which make it possible for an adversary targeting a single Android device to compromise an entire organization." That could occur if an intercepted Android token was issued to a security administrator who had super-user permissions -- for example, to add or delete users from a business's Google Apps domain or to alter their access privileges.

To test the attack vectors, Young crafted a proof-of-concept Stock Viewer app that he uploaded to Google Play in March. If installed, the app intercepted an Android user's weblogin token. Lest anyone criticize Young for putting people at risk, the security researcher said his app carried a disclaimer that it was for testing purposes only and would "completely [compromise] your privacy." To further dissuade anyone from downloading it, he also slapped the app with a $150 price tag.

Interestingly, Google approved the app for sale, meaning that Bouncer, its automated malware detection service, failed to detect the built-in token-grabbing functionality. Similarly, mobile antivirus software from Avast, Lookout, Norton, Sophos and Trend Micro didn't flag the software as posing a risk, or apparently detect that the software had access to the weblogin token.

Google did, however, drop the app from Google Play about a month after it was uploaded. Furthermore, prior to his Def Con talk, Young said that Google's Apps Verify feature -- which is now automatically installed on all Android devices (version 2.3 or above) that want to access Google Play -- had begun warning that the app was malicious before users install it. But Young said that warning disappeared if the app was renamed.

A Google spokesman didn't immediately respond to an emailed request for comment on Young's research. But in advance of the talk, Google had already addressed one attack vector highlighted by Young, which would have allowed someone in possession of a token to reset an account password if two-step verification wasn't enabled. In addition, Google now blocks anyone who logs into a Google account using a weblogin token from adding a user to a Google Apps domain or from obtaining a dump of all data stored by the account.

"Google is closing more weblogin Apps attacks for my #DEFCON talk -- a nice start but still a long long way to go," Young tweeted in advance of his presentation. Notably, Young has called on Google to give Google Apps administrators the ability to block all automatic access via weblogin tokens.

What can Android users do now to mitigate the vulnerability? Young recommended they never use an admin account on Android and regard all token requests made by apps with suspicion. He also recommended that users stick with trusted app stores and vendors -- which is long-standing security advice -- and run antivirus to detect root exploits, which could be used to facilitate weblogin token stealing.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
8/6/2013 | 7:45:39 PM
re: Android One-Click Google Apps Access Cracked
How well do you think Google is policing its app store, Matt? As well as Apple?
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.