Home Google Quick to Patch New Security Flaw

Google Quick to Patch New Security Flaw

Google is moving quickly to fix the security hole that affects most Android phones reported by German researchers at Ulm University on Tuesday.

The security flaw makes Android devices using version 2.3.3 or below vulnerable to Wi-Fi snooping of authToken identifications used by Google services and sites like Facebook and Twitter. In a statement by a Google spokesperson, the company said it is “starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.”

The fix is a server side update that will force authTokens in calendar and contacts applications to be sent over Hypertext Transfer Protocol Secure (HTTPS). Google is still currently looking into to how to patch the vulnerability within the Picasa photo sharing application.

When the DroidDream malicious applications became a widespread problem in the Android Market, Google went straight into phones remotely to disable the harmful applications and the bootloader they had installed. This recent security vulnerability is not a malicious application but rather a problem with authentication in what are supposed to be safe (and frequently used) applications. The fix to transfer information over a secure protocol will be able to patch that vulnerability.

“This is not a bandaid,” said a Google spokesperson. “This is a fix and will not require an OTA update or any action from device owners.”

There were a couple options available to Google. AuthTokens are saved for 14 days. The vulnerability comes when the authTokens are made open to a snooping hacker when an applications attempt to automatically update on an unsecure Wi-Fi connection. The most logical thing would be to simply get rid of authTokens in favor of a more robust authentication system like oAuth. Or, Google could just make it so authTokens are saved in the system for less time. Applications could be prohibited from trying to update automatically from unsecured networks or Google could institute that API data calls are made through HTTPS to add a security layer.

The server-side update that Google is using is probably the easiest route. It does not involve the company reaching into users phones, it does not involve pushing an update through cellular carriers. Essentially, Android owners will not know the difference of how their phones transferred data yesterday how they transfer it today.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.