Google: Android security flaw now being fixed for all users

By JR Raphael (@jr_raphael)

A security flaw discovered in Google's Android operating system is now being fixed for all users, a Google spokesperson tells me.

The flaw was brought to light by a team of German researchers on Friday. The researchers posted a paper explaining how certain Google account authentication tokens were being sent over-the-air unencrypted, potentially putting users at risk if they were transmitting data over public Wi-Fi networks. Specifically, information from users' Google Calendar, Google Contacts, and Google Picasa accounts could be exposed, or "sniffed" out, by hackers connected to the same Wi-Fi network.

The issue had already been fixed in the most recent Gingerbread release, Android 2.3.4, but as the researchers pointed out, the majority of Android phones -- around 99 percent -- are not yet running that version.

Today, Google started rolling out a server-side patch that addresses the issue for all versions of the Android OS. The update is global and automatic, requiring no software update on the user end. Google expects the rollout to be completed and affecting all devices worldwide within the week.

The patch addresses the problem with authentication tokens for both Google Calendar and Google Contacts. Android engineers are still looking into the issue with Picasa.

Below is Google's official statement on the matter.

Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

Plug in, turn on. Follow @AndroidPower on Twitter or subscribe via RSS to stay connected.

Article copyright 2011 JR Raphael. All rights reserved.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies