The security flaw that can expose sensitive data on Android phones that are connected to an unsecured WiFi network is being fixed by Google today through a server-side update.
We first got word of this security issue yesterday, where it was found that Android users on an unsecured WiFi network could have their Contacts, Calendar, and Picasa web albums stolen using the ClientLogin authentication protocol. Google’s plan to fix this requires nothing from the user and can be done through the server. This fix addresses the Google Contacts and Calendar issue but does not fix the synced web albums from Picasa.
The automatic update is being pushed as we speak but may not be completed until later this week.
Google’s official statement:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third-party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
Engineers are still trying to find an official fix for the Picasa web albums and will likely send it out as soon as the solution comes to light. Out of the information that could potential be stolen from an Android handset using an unsecured WiFi network, Picasa albums would likely be the least harming. A hacker could take all of your contact numbers and even know where you’re going to be at a given time with your calendar information, so having your pictures exposed to your drunken weekend in Cabo are less of a concern when you put it into perspective.
Because the update can be applied to the server through a patch, users will not have to wait for an over the air update, which would take a while to get to everyone globally. Now let’s get crackin’ that Picasa issue, Google.