New smartphone privacy alert as Android handsets found to be prone to leaking data

By Sean Poulter

Millions of smartphones which use the Android software promoted by Google are a security risk, it was claimed yesterday.

Researchers found that criminals can tap into the transfer of information between the phones and the internet, gaining access to personal data.

The discovery was made by security experts at the University of Ulm in Germany

Most smartphone manufacturers other than Apple use the Android operating system.

Many applications on Android phones interact with Google services by asking for an authentication token – essentially a digital ID card for particular application. The token removes the need to keep logging into a service each time you need to access it.

It is claimed that a hacker monitoring an Android smartphone connected to the internet via a wi-fi network would be able to steal the token.

In theory, the hacker would then use the information to log on to websites using the identity of the phone’s legitimate user.

In a blog posting on their findings, the researchers said: ‘The adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user.’

They added: ‘An adversary could change the stored e-mail address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.’

The researchers said while they had identified a security loophole there is no evidence, to date, that any hackers are taking advantage of it.

Google has released software updates which are said to address most of the security concerns.

Mark Evans, director at IT services provider, Imerja, said: ‘That such an enormous proportion of Android phones could potentially be leaking users’ personal data is shocking.

‘Mobile devices are increasingly used for business, more so than laptops, and their security is essential to protect organisations against data breach or other ill-intentioned activities.

‘The message to companies is clear; mobile devices must be properly secured. They should be implementing robust and enforceable security policy structures to support effective mobile working, such as encryption.’

Most smartphone manufacturers - other than Apple - use the Android operating system.