A recent discovered security flaw on Android operating system is now being fixed by Google. The recent vulnerability was discovered by German researches that hackers might steal in your information account using rogue-unsecured WiFi connections.
I also need to correct my self because there are only three compromised app namely Google Calendar, Contacts and Picasa. Facebook and other social networking app is not included.
The attack is done through unsecured rogue WiFi hotspots via ‘Client Log in’ exploit. Google only authenticate your Calendar, Contacts and Picasa once every 14 days and after that Tokens will be use for validation. This tokens are unencrypted and can be easily captured by malicious WiFi owners compromising your personal informations.
Google is currently fixing the issues in the server-side, meaning the fix is done in their servers and handset patch is not yet available. Although the Android 2.3.4 Gingerbread is not vulnerable to this attack however the 99% of Android devices is prone to this attacks. Both Calendar and Contact is fixed and Google engineers are still working on the Picasa Web Album issue. I guess Picasa does not post a serious threat unlike exposed Contacts which is scary.
Google’s official statement on the security issue:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.