Google acknowledged the Android security issue recently discovered by German researchers from Germany’s University of Ulm. The researchers claim that sensitive data stored on Google’s servers which are used to access calendars, contacts, and other services can be stolen from Android devices.
The vulnerability results from an improper implementation of an authentication protocol. Currently, an authentication token can be used for up to 14 days in any subsequent requests on Google’s services, an opening that gives malicious attackers access to an Android account. The attacks are possible when the devices are using unsecured networks, such as Wi-Fi hotspots.
The issue had already been fixed in the most recent Gingerbread release but 99% of Android phones still run lower versions.
Google has now started to roll out a server-side patch to address the issue for all versions of Android. Google released this statement:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
Google takes care of everything, so no action is required from the users. However, the patch only solves the issue on authentication tokens for Google Calendar and Google Contacts. Google has yet to resolve the issue with Picasa.