Google verifies Android security flaw
Google has confirmed reports from German researchers of a defect in its Android operating system that allows hackers to access information sent over open Wi-Fi networks.
Google confirmed the researchers' findings yesterday and announced it would release a software update to fix the problem.
"Today we're starting to roll out a fix, which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," the company said. "This fix requires no action from users and will roll out globally over the next few days."
Last week, three researchers from Germany's Ulm University found that all but the most recent version of Android 2.3 Gingerbread did not properly encrypt applications when connected to an open Wi-Fi network, allowing outside parties to access the phone's calendar, contact information and photos.
Devices running Android 2.1 and Froyo also have the same gaps in their security settings. Smartphones running Android 2.3.4 are only partially susceptible to the security flaw; calendar and contacts are properly secured, but photos remain vulnerable to attack.
Smartphone users often access open Wi-Fi networks, such as coffee shop hotspots, to get faster data speeds and avoid using up their monthly allotment of mobile data.
The way Android devices transmitted data over those unsecured Wi-Fi networks allowed outside parties to view, modify and delete contacts, calendar events and private pictures.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," wrote researchers Bastian Konings, Jens Nickels and Florian Schaub in a blog post.
The researchers suggested users update their smartphones to the most recent version of Android as soon as possible; switch off automatic synchronization in the settings menu, when connecting to an open Wi-Fi network; prevent devices from automatically reconnecting to open Wi-Fi networks by having it "forget" their old settings; and avoid open Wi-Fi networks altogether when using apps vulnerable to the security flaw.