Android security fix for 97% of Android devices
The fix, which addresses a hole allowing hackers to access the contacts, calendars and photos on an Android phone connected to an open Wi-Fi network, will take a few days to cover every phone, a Google spokesman said.
Unlike a traditional software update, the problem exists on Google’s servers, so Android users won’t need to manually take action.
The newest versions of Android, including the new wave of tablets running its Honeycomb software, are not affected by the bug, according to the researchers at Ulm University who initially reported the issue.
It’s a server-side fix – Google will make its servers switch to a secure channel when syncing users’ data. The fix should roll out to Google’s servers over the next few days and affect every Android device.
The Contacts and Calendar apps were affected and this fix should make them secure. The Gallery app, which syncs online albums with Picasa, however is and will remain vulnerable after the fix (the Gallery app is developed by a third party). Google is looking into that but didn’t give a timeframe for fixing the Gallery hole.
There are 100 million activated Android devices, according to Google, and 400,000 new devices are activated every day. In all, researchers at Ulm University in Germany who discovered the flaw last week estimate about 98 percent of Android users are vulnerable.
Although Google is promising an automatic fix, the German researchers indicated consumers don’t have to wait. Android users can update to Android 2.3.4 to sidestep the vulnerability. However, they also noted that it may take weeks or months for an update to become available, depending on the phone vendor. The researchers also suggested that Android users switch off automatic synchronization settings when connecting with open Wi-Fi networks. Users can also let a device forget an open network previously connected to by selecting forget in network name settings, or just avoid open Wi-Fi networks. As for Google, the researchers said the company should drastically limit the lifetime of an authToken. What’s more, they said, Google services could reject client log-ins from insecure http connections to enforce the use of https, and limit automatic connections to protected networks.