Google is moving quickly to fix the security hole that affects most Android phones reported by German researchers at Ulm University on Tuesday.
The security flaw makes Android devices using version 2.3.3 or below vulnerable to Wi-Fi snooping of authToken identifications used by Google services and sites like Facebook and Twitter. In a statement by a Google spokesperson, the company said it is “starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.”
The fix is a server side update that will force authTokens in calendar and contacts applications to be sent over Hypertext Transfer Protocol Secure (HTTPS). Google is still currently looking into to how to patch the vulnerability within the Picasa photo sharing application.
When the DroidDream malicious applications became a widespread problem in the Android Market, Google went straight into phones remotely to disable the harmful applications and the bootloader they had installed. This recent security vulnerability is not a malicious application but rather a problem with authentication in what are supposed to be safe (and frequently used) applications. The fix to transfer information over a secure protocol will be able to patch that vulnerability.
“This is not a bandaid,” said a Google spokesperson. “This is a fix and will not require an OTA update or any action from device owners.”
There were a couple options available to Google. AuthTokens are saved for 14 days. The vulnerability comes when the authTokens are made open to a snooping hacker when an applications attempt to automatically update on an unsecure Wi-Fi connection. The most logical thing would be to simply get rid of authTokens in favor of a more robust authentication system like oAuth. Or, Google could just make it so authTokens are saved in the system for less time. Applications could be prohibited from trying to update automatically from unsecured networks or Google could institute that API data calls are made through HTTPS to add a security layer.
The server-side update that Google is using is probably the easiest route. It does not involve the company reaching into users phones, it does not involve pushing an update through cellular carriers. Essentially, Android owners will not know the difference of how their phones transferred data yesterday how they transfer it today.