Bastian Könings, Jens Nickels, and Florian Schaub, security researchers at the University of Ulm:
We tested this attack with Android versions 2.1 (Nexus One), 2.2
(HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus
One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and
with the native Google Calendar, Google Contacts, and Gallery apps
(or respective synchronization services).
Until Android 2.3.3 the Calendar and Contacts apps transmit any
request in the clear via http and are therefore vulnerable to the
authToken attack. This affects 99.7% of all Android smartphones
(stats from 2nd of May 2011). Since Android 2.3 the Gallery app
provides Picasa Web Albums synchronization which is also not
Since Android 2.3.4, the Calendar and Contacts apps are using a
secure https connection. However, the Picasa synchronization is
still using http and thus is still vulnerable.
Our sniffed authTokens were valid for several days (14 days for a
sniffed Calendar authToken), which enables adversaries to
comfortably capture and make use of tokens at different times and
I’m sure most Android handsets will be updated to version 2.3.4 or later very soon, so no worries.