Android Android security issues

[sarah11918]

I'm guessing this is something we should be aware of:

http://techcrunch.com/2011/05/17/99-...assword-theft/

[ivanjt]

Aware of, yes. Concerned about, maybe, since the edge isn't a phone. As I remember the Reg article there wasn't much to say about tablets.

[sarah11918]

I know that because it's not a phone, it can't be forced to make calls or anything. But the article mentions something about tokens that are good for a while after you log in from your Android phone that are sent in plain text that can be intercepted. I didn't know whether that was a vulnerability that could be exploited over wifi on our tablets as well.

[jbcohen]

First, I do not have any android anything (something that I lament greatly) so I need to speak from a more general level. Second inthe real world I am professionally part Information Security Officer, waht that means is that I spend all day worrying about exactly this sort of things.

The troubble with this is that android is typically localized to smart phones, something that hopefully will change. Smart Phones do not keep much in the way of data on the device. They keep such things as places that you have called or text and your speed dials and your phone book. Not much information that is interesting to a hacker, what they are interested in is the passwords to your bank account and credit cards, the dollars. Shure they can spend hours breaking into your android phone but what they get out of it, called the payload or the honey pot is not very interesting. The way to twart these hackers is to frequently change your passwords to your bank accounts and credit card accounts, and do not keep the passwords on the smart phone - they can potentially get that. Write the passwords on a note book in your purse or men keep it on a card in your wallet - something so that the password is offline - not on anything.

So follow some simple steps to keep yourself secure:

1)Change passwords frequently - once a month;
2) Passwords should be at least eight characters and include one special character such as !@#$%$^&* a CAP and lower case;
3) Don't make any of your passwords spell anything at all - make them simply an assembleage of letters, numbers and special characters - a pal of mine used dmfr$Es - means nothing.

[sarah11918]

Quote:

Originally Posted by jbcohen

Smart Phones do not keep much in the way of data on the device. They keep such things as places that you have called or text and your speed dials and your phone book. Not much information that is interesting to a hacker, what they are interested in is the passwords to your bank account and credit cards, the dollars. Shure they can spend hours breaking into your android phone but what they get out of it, called the payload or the honey pot is not very interesting.

But I thought according to the article linked, the problem is that people are logging into sites on their smartphones, an interceptable-plain-text token good for sometimes 2 weeks is generated, and therefore they can get all the good stuff.

It's not the data *on* the phone that's necessarily sensitive. Isn't it the fact that with smart phones - phones with apps that log into all sorts of sites, some very sensitive - the traffic can provide a big payoff?

[ivanjt]

Sarah, did you read the follow up article on the Reg, it is fixed.
http://www.theregister.co.uk/2011/05..._security_fix/

[sarah11918]

Quote:

Originally Posted by ivanjt

Sarah, did you read the follow up article on the Reg, it is fixed.
http://www.theregister.co.uk/2011/05..._security_fix/

Nope, I didn't. Guess we don't have to worry then! Thanks!

[Filark]

Whew!