Researchers in a German University discovered that 99 percent of Android phones connecting to unsecured wireless networks were leaving themselves open to attack.
While phones on the 2.3.4 version of Android were protected from the potential leaks, that left 99 percent of all Android handsets susceptible to having personal data stolen. Google has moved quickly to rectify the problem and Android handset owners won’t have to so anything as it is a server-side fix. "We're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," Google said in a statement. The problem came to light after three researchers at the University of Ulm discovered the vulnerability, which is due to an improper implementation of the ClientLogin protocol.
The vulnerability affected the login credentials for some Google applications such as Calendar and Contacts. The authentication token that allows people to access the service without the need to keep logging in could be intercepted by criminals if they were sent over unsecured wireless networks. The token can be used for up to 14 days and the researchers said it was not just limited to Calendar and Contacts, and it was “theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs." The problem only occurs when users are accessing unsecured Wi-Fi networks as apps will attempt syncing automatically - though this feature can be disabled.
Google has been praised by security experts for reacting so quickly to the problem and it should be solved within a few days and until then, users are advised to avoid open Wi-Fi networks or else turn off automatic syncing when connecting to Wi-Fi.
Source: Bastian Könings Blog