A very significant security flaw has been discovered within Google’s Android operating System which can leave users vulnerable to attacks to gain personal information without the need for permission. The flaw was discovered by three research assistants at the Ulm University located in the southern part of Germany and affects nearly 97% of android users and devices.
According to a recent blog post the researchers found that Android users that are running versions 2.3.3 and below are at risk to attacks when connecting to unencrypted Wi-Fi networks and anyone else on that network could gain, access, modify, delete and more when it comes to the users’ calendars, photos, and contacts quite easily.
A spokesperson from Google made a statement regarding this security flaw. according to them they are aware of the issue and a fix is already in place for the calender and contacts in the latest versions of Android, Honeycomb and Gingerbread. A solution is also in the works for the Google photo sharing service Picasa.
The somewhat good news is only about three percent of Android users have the latest versions and Google is working hard to provide a fix for those that are running older versions of the operating system and should receive the fix with in the next few days or so. There is no action that needs to be taken on the users part according to Google and the patch will roll out globally.
The security flaw comes from Google making use of unencrypted login protocol for affected services, By Google using HTTP instead of the more secure HTTPS, it can make it very easy to find and acquire the login information. This type of attack can can be used on any Android device with the use of an unencrypted Wi-Fi network.
Researches did find that any unsecured application that is making use of this security flaw and only the users’ photos, contacts, and calender can be compromised. The attacker will not be able to read emails or the like, which depending on how you look at it is a bit of a relief.
Luckily, Google was able to easily fix the problem on their end by using a HTTPS connection for the calender and contact synchronization and by solving this issue easily on their end Google was able to avoid the possibility of a slow update process. Once the code is updated manufacturers and carriers will be able to implement the new code for each of the devices at risk.
Researchers have also suggested to Google to prevent devices form automatically logging in and remembering unencrypted Wi-Fi networks, however Google has not stated whether they have taken this step or not.