It's said, where there is private information there will be thefts trying to get it!
Android have third party applications in the Android market place, and some isn't very nice applications!
Researchers from Germany’s University of Ulm have identifiedprocesses which could potentially allow attackers to hijack tokens used to access calendars, contacts and a number of other services available within Google’s Android operating system, affecting as many as 99% of mobile phones running the software.Access to these services revolves around a weakness in how Google’s ClientLogin authentication protocol is implemented, sending authentication tokens in cleartext once a user enters a valid username and password to access a particular service. The implementation, which is unpatched in Android versions 2.3.3 and lower, allows unfettered access for up to 14 days to that same service, potentially providing attackers with a route into a persons account.The team, comprising of Bastian Könings, Jens Nickels, and Florian Schaub, explains what could be accessed as a result:For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.The attack utilises a similar process to that of the Firesheep desktop plugin, which allows attackers to steal session cookies (Sidejacking), which helped users of the application to steal login credentials used to authenticate sessions on popular social networking websites like Facebook and Twitter.For attackers to be able to gain access to Google services, the user would first need to authenticate their device on an unencrypted wireless network, something that is generally frowned upon for these very reasons. For this reason alone, the vulnerability will never be exploited to the maximum capacity.The good news is that Google are already aware of the vulnerability and have moved to patch the bug in its latest Android 2.3.4 firmware update, although some of its services, including Picasa, are still transmitting sensitive data via unencrypted channels, according to the researchers. Google has confirmed the claim and said that it is working on a fix.To reduce the impact of the vulnerability, developers that use ClientLogin are encouraged to immediately switch to https connections to secure data and begin utilising OAuth for authentication, which would mitigate the authToken capture issue immediately.Android handset owners should upgrade to Android 2.3.4 as soon as it is possible to do so, although this is normally an operator issue and customers are asked to wait. However, the researchers can also switch off automatic synchronisation in the settings menu when connecting with open WiFi networks, reducing the chances of an attacker capturing credentials. TNW http://goo.gl/vTbeC
The reason why Android will never be secure is:
Users!
What is a user:
A Users doesn't install security applications! A user download crap. A users don't know about these threats. A users are kid's who doesn't care! users are inexperienced people!
are you a user? I hope NOT!
Let me ask you a question. Do you have security on your computer/laptop/netbook ? Do you?
If yes, you are still not secure (see why)
If no, get help Fast dear reader! Help is here!
Do you have security on your phone?
User: What?! A phone doesn't have viruses!
ME: Oh, yes it does!!
Thinking you are save by default is an illusion....
iOS is very safe (great job apple) Because:
They check all the applications
They have a secure platform
Android is NOT safe Because:
No security in place
User mucked about, getting there self infected.
And as stated above!
