How one hacked Android device can breach a whole network

When employees use their personal smartphones, IT often worries that the data on an individual device will be compromised if it’s lost or stolen or gets infected with a virus. But BYOD security threats could be an even bigger issue than many companies realize, as one security researcher recently showed. 

At the recent Def Con security conference in Las Vegas, Craig Young, a security researcher with Tripwire, demonstrated a way to hack into an entire organization via its Google Apps domain using a single compromised Android device.

Many companies use Google Apps for corporate email, or for document creation and collaboration. Android makes it easy to connect to Google Apps using a smartphone or a tablet. And that’s where the vulnerability lies.

Android has a single sign-on feature that grants access to Google accounts. Basically, Young said during his demonstration, Android uses cookies rather than passwords to access Google services.

It’s convenient for users, but there’s a big problem: If a device is logged into a Google Apps admin account, the phone or tablet contains the token needed to access the domain control panel. That means hackers just need to compromise that one device — either by getting physical access or infecting it with malware — to get into the control panel.

Once they have access to that, hackers can access the organization’s control panel and reset passwords, download documents and wreak other havoc.

The token is especially vulnerable because it’s shared by so many apps. For example, Young said, a malicious app may ask for the credentials from YouTube but then use it to log into Gmail.

Protect corporate accounts

That’s a big problem, Young said, because there are a lot of Android viruses out there, and Google hasn’t done much to keep them out of the official Android app store.

The best way to keep corporate Google accounts from being compromised: Make sure IT admins don’t use their Android devices to log into administrative accounts for Google services.

Of course, users’ own accounts can be compromised, too. That’s another reason it may be a good idea to train Android users to avoid downloading suspicious apps.

  • Xennex1170

    Ok, just to make sure I understand. The point of the article is to keep a device that has admin access to Google Apps from falling into the wrong hands. Are you saying that iOS devices cannot ever have admin access to Google Apps? If other OS devices that use Google services (including laptops and desktops) can also have Google Apps admin access what makes this pertain to Android only?