Google Issues Patch to Plug Android Data Leaks
Google's putting a quick patch on an Android security flaw that could leak contacts and calendar data through open Wi-Fi networks.
The patch will roll out to Android phones starting Wednesday. "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," Google said in a statement.
Researchers at Ulm University's Institute of Media Forensics reported the flaw last week, and the tech press took notice on Monday and Tuesday. The issue lies in the way Android handles authentication tokens. If sent over an insecure http connection, a hacker on the same Wi-Fi network as the user could conceivably steal the authentication and gain access to the user's calendar, contacts and Picasa Web albums. Although the issue of contact and calendar leakage was already fixed in Android 2.3.4, the vast majority of Android phones run older versions of the software.
The odds of being attacked are unlikely, but it's not the type of issue Google would want to ignore. The patch only addresses calendar and contact data; Google is still trying to figure out how to address the issue within Picasa.
It's interesting to note that Google was able to patch the problem quickly on old versions of the Android software. Fragmentation may be an issue for app compatibility or getting the latest Android features, but at least it didn't stop Google from pushing out a fix to a security problem.