An Android vulnerability affecting 99% of Android devices has been discovered. The said vulnerability once exploited, hackers can steal your personal information from Facebook accounts, Calendar and other apps if you connect to a rogue WiFi hotspots.
Prior to Android 2.3.4, the ‘Client Log in‘ authentication is vulnerable to attacks. Google servers authenticate your log in username and password once, after that it will use token. The Token used is not encrypted and details are in plain and attacker can capture the tokens.
What is needed in this hack?
The attacker needs to set up a WiFi hotspot and the best way to do this to set up near public places such as coffee shop and copy the SSID of the hotspot, e.g ‘Starbucks Free WiFi 2′. People will access your hotspots since the original needs authentication. Then the hacker will capture those tokens.
How to stay secure in Public Hotspots:
Use your 3G or 4G connection for better security instead of using unsecured wireless network.
If you really need to access a public hotspot just make sure that the hotspot is legit. If you are in a hotel or in a coffee shop ask them the SSID and better ask connection with encryption.
There are SSH Tunneling for mobile devices but you need a server to setup and not so practical for ordinary use. Eventually there will be apps like Hotspot shield for PC and VPN connections.
But the best tool of all time is common-sense. Don’t just connect to hotspots that you don’t know who owns it and if you are in doubt ask the authorized personal if that SSID is indeed belongs to them.
I know some tools that can spoof and can be used as a rogue access point but I have not tried it in a mobile device but it is beyond the scope of this article.
Safe surfing and stay secure!