Google rolls out a security patch for Android to fix an encryption hole

SOFTWARE DEVELOPER Google is rolling out a security patch for Android that fixes a vulnerability reported to have affected 99 per cent of users.

The patch fixes an issue flagged by German security experts that could allow hackers to look at personal information in the Google calendar and contacts apps.

The University of Ulm researchers said that in Android 2.3.3 and earlier these apps transmitted unencrypted information to retrieve an authentication token, or Authtoken, from Google. This left an opening where criminals could steal the token through WiFi snooping.

Once a hacker had one of these Authtokens, they could use it for several days, accessing your private information and potentially impersonating an individual smartphone. In Android 2.3.4 this flaw is fixed, but it was mentioned that 99 per cent of Android users were still using versions 2.3.3 and earlier, which meant they were all at risk.

But now Google is rolling out a silent server-side patch that won't require any action from Android users, forcing servers to use an encrypted HTTPS connection when syncing with a handset.

A Google spokesperson said, "We're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."

Sophos security consultant Graham Cluley praised Google's actions but added, "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates." µ