Interesting read on the vulnerabilities in Google’s smartphone OS, Android that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on their servers.
After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in clear-text. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
With more than 99 percent of carriers offering their users Android versions with known security weaknesses, the report demonstrates how little success Google has had in getting its partners to upgrade to the latest versions.
Read more here.