Click image for larger version. 

Name:	android-open.jpg 
Views:	93 
Size:	55.2 KB 
ID:	266Google rolls out a security patch for Android to fix an encryption hole
99 per cent of users were at risk
By Asavin Wattanajantra
Thu May 19 2011, 13:11

SOFTWARE DEVELOPER Google is rolling out a security patch for Android that fixes a vulnerability reported to have affected 99 per cent of users.

The patch fixes an issue flagged by German security experts that could allow hackers to look at personal information in the Google calendar and contacts apps.

The University of Ulm researchers said that in Android 2.3.3 and earlier these apps transmitted unencrypted information to retrieve an authentication token, or Authtoken, from Google. This left an opening where criminals could steal the token through WiFi snooping.

Once a hacker had one of these Authtokens, they could use it for several days, accessing your private information and potentially impersonating an individual smartphone. In Android 2.3.4 this flaw is fixed, but it was mentioned that 99 per cent of Android users were still using versions 2.3.3 and earlier, which meant they were all at risk.

But now Google is updating all of the endangered handsets with a silent server-side patch that won't require any action by Android users, forcing servers to use an encrypted HTTPS connection when syncing with a handset.

A Google spokesperson said, "We're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."

Sophos security consultant Graham Cluley praised Google's actions but added, "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates."