Android 2.3.4 to Plug Massive Security Hole for your Droid!!

Let's make it very clear.  I got this phone and am stuck with a 2 year contract which does not expire for a few months.  Which means I can't get a new phone without paying through the nose. 

If they want to hold me to my contract, then they need to support the device.  The device does not require a secure WiFi connection.  The operating system holes make operating the phone AS IT WAS DESIGNED unsafe to your personal information.

Therefore, Verizon may be legally required to fix this.  In any event, they should either fix it or provide a heavily discounted replacement (perhaps free is too much - but not at the contract rate and no early change fee, below that).   If my user data is compromised by their failure to update or replace my device, and I find that others are having the same issue, I will likely start organizing a class action suit. 

---

jltreads wrote:

Let's make it very clear.  I got this phone and am stuck with a 2 year contract which does not expire for a few months.  Which means I can't get a new phone without paying through the nose. 

 

If they want to hold me to my contract, then they need to support the device.  The device does not require a secure WiFi connection.  The operating system holes make operating the phone AS IT WAS DESIGNED unsafe to your personal information.

 

Therefore, Verizon may be legally required to fix this.  In any event, they should either fix it or provide a heavily discounted replacement (perhaps free is too much - but not at the contract rate and no early change fee, below that).   If my user data is compromised by their failure to update or replace my device, and I find that others are having the same issue, I will likely start organizing a class action suit. 

---

What about desktop computers? laptop computers? routers? Anything that uses wifi? Can you name ANYTHING that REQUIRES a secure wifi signal? You should also include Cisco, Lynksys, Netgear, HP, Apple, Dell, Gateway, etc... in your class action. I can see some big $$$$$$$ in your future.

It is your choice whether to use an unsecured wifi signal. You only have yourself to blame if you do so.

Wow - talk about not getting it.  If Verizon sold me my laptop on a monthly plan with a two year contract and refused to certfiy and distribute the latest security patches for Windows 7, you bet your **bleep** I'd sue them for breach of contract.  Today it is not acceptable to say "you have to pay me for 2 years for the right to own this phone but I'll stop supporting you any time, kay?"  

Oh, and this issue does not affect iPhones, Laptops or Routers.  Only Android pre 2.3.3.  My phone is now less functional.  A key feature (open WiFi connectivity) that was included when I bought it no longer works without a security breach that resulted from a poor implementation of a standard authentication model.  

All I want is my phone to run the latest version of Android.  It is an Android phone, after all.  iPhones all run the latest release, it makes no sense to effectively EOL device support 14 months after I got the phone.

So, if I can find others in the same boat perhaps we'll request status as a class and pursue damages.  How many Android phones that are not updated to 2.3.3 were purchased?  That's a whole lotta liability...   

While I think you're blowing this out of proportion and wasting energy in veiled threats of class action lawsuits, if you're really that angry, it should be pointed at Google, not Verizon as that is where the issue originates and where a patch has to come from. The phone manufacturers and cell carriers can only integrate it and pass it down. In reality, this is not a massive security issue and is only a concern when using free Wi-Fi hotspots (ex. coffee shops, hotels, airports, etc.). Which by their very nature, are insecure!!! (Same goes for kiosk type computers such as in hotels). This issue is no different than various other services that don't use encryption (https), such as webmail services, social networking sites, and forums like this. (Did you notice this forum doesn't use https in order to login?). Although, frankly, this is unacceptable overall as the information is transmitted in plain text over the most insecure network; the Internet! Encryption really should be used for anything that requires credentials. Although, admittedly, when it comes to this forum, I'm not concerned if the account gets hacked as there is nothing of personal nature or value in it. Bottomline, if this is such a big concern, as it is with me, do as I do and refuse to use untrusted networks for things that are of importance to you, or if you do use them limit your activity to something that doesn't require credentials. Heck, even on my own home Wi-Fi network that is pretty well locked down, I NEVER use it for anything of sensitive nature (ex. online banking) as the data could be sniffed out of the air by someone in my neighborhood. At least with hardwired, someone would have to physically connect to do that. Anyway, I digress, you do have a choice to protect yourself.

ISC Sans, a premier authority on security, has a good write up here:

http://isc.sans.edu/diary/Android+HTTP+and+authentication+tokens/10891

Also check out the info from the original researchers here:

http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

What Android users can do:

• Update to Android 2.3.4. Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone. Hopefully this will change in the future.
• Switch off automatic synchronization in the settings menu when connecting with open Wifi networks.
• Let your device forget an open network you previously connected to, to prevent automatic reconnection (long press network name and select forget)
• The best protection at the moment is to avoid open Wifi networks at all when using affected apps.

Veiled threats of legal action aside, VZW needs to push their hardware partners to get this software upgrade out ASAP. It has the potential to really kill the credibility of the Android platform that Verizon seems to be banking on.