Android authToken Bug Places 99% of Handsets at Risk
The problem stems from an error in Google's implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and lower. Once a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, an authentication token is delivered, but the problem is that the token is sent in cleartext. The authToken allows access to the logged-in service for up for 14 days, without requiring another login.
The researchers, from Germany's University of Ulm said that hackers could capture such authTokens en masse if they leveraged the fact that devices will attempt to reconnect to a previously known network (assuming that setting is enabled in the OS). The reconnection is based on the network's SSID. Thus:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”