In what marks a significant follow-up on Rice University professor Dan Wallach’s February findings – that network eavesdropping poses a threat to the Android users -, researchers at the University of Ulm, Germany, have recently come up with a proof-of-concept attack that they have devised for demonstrating the vulnerability.

With Wallace having noted that a number of Android applications do not use SSL encryption for protecting their network traffic, the University of Ulm researchers have pinpointed that the weakness results from improper implementation of an authentication protocol called ClientLogin, in Android versions 2.3.3 and earlier.

According to researchers, the weakness can easily be used against people who use their Android devices on networks over which an attacker gains control; and Android's calendar sync, contact sync, and Picasa sync are all susceptible.

Elaborating that ClientLogin has chiefly been designed to let applications trade a user's credentials for an authentication token (authToken) which identifies the user to the service, the researchers said that though many of the Google applications use the ClientLogin authentication system, they apparently fail to use SSL for encrypting their communication with Google's servers; thus putting them at risk of eavesdropping attacks.

Noting that, to collect authToken on a large scale, an adversary can “setup a wifi access point with a common SSID of an unencrypted wireless network, e. g., T-Mobile, attwifi, starbucks,” the researchers said: “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail, the adversary would capture authTokens for each service that attempted syncing.”