Android is an operating system based on Linux and designed especially for mobile devices that since 2005 is developed by Google. It currently has a large market share in this type of devices due, to a large extent, to the free availability of its code and the wide variety of free applications available.
The discovered flaw lies in the protocol used by ClientLogin, used by other applications to identify themselves in Google services through an authentication token (authToken) that are valid for the two-week period. ClientLogin obtains this token by sending google the account name and password. Logically, all this data travels over an HTTPS connection, under SSL. However, when an application wishes to identify itself to Google, the requests containing this token are sent over unencrypted HTTP connections, and can be visible by any machine that is capturing traffic on the same local network. Android usually connects over wireless networks, and if that network doesn't use encryption or uses insecure encryption (WEP, for example), it would be equivalent to sending credentials in plain text.
This security flaw is present in Android 2.3.3 and earlier versions. Google has corrected the bug in version 2.3.4, so it would be advisable to update to this version. However, the main problem now is that Android users actually update their version so as not to be vulnerable. This responsibility is usually left in the hands of the manufacturer of the terminal, which customizes the versions of the operating system. Therefore, it is necessary to be aware of the update of each phone manufacturer and this could take an indefinite time.
In the meantime, it is recommended not to use Android on unencrypted or untrusted wireless networks.
Source: Hispasec
