Researchers have pointed out that a flaw in all but the most recent versions of Android leaves the vast majority of Android phones vulnerable to a snooping attack.
A report last week from researchers at Germany’s Ulm University found that Google authentication tokens are susceptible to interception in all but the Gingerbread and Honeycomb releases of Android. As a result, an attacker could easily gain access to a user’s private Google account information, such as calendar and contact information, if that phone is used on an open Wi-Fi network.
The issue here–and it is not unique to Google–is that when unencrypted information is sent over open networks, it is easily intercepted, says Lookout Mobile Security CTO Kevin Mahaffey. […]
Much of the data transmitted from PCs and phones is still sent over unencrypted connections. However, Mahaffey said the time has come where services should be moving any potentially sensitive information over a secured connection. […]
In Google’s case, sending the authentication tokens means that an attacker, even without one’s password, can access the account information for the life of the token–in this case around two weeks. Google changed its processes in the latest releases of Android, but the vast majority of users are running Froyo or older versions of the operating system.
Plus, unlike with a computer vulnerability, users don’t have a way to quickly update their phone’s software as new issues are discovered. Instead, updates to the operating system typically take months to get approved by the phone makers and carriers before becoming available to phone owners, if they are made available at all. […]
In the meantime, Mahaffey recommends that users try to avoid unsecured Wi-Fi connections altogether, or, if they are using such connections, that they turn off synchronization and be careful what other types of data they send. […]
For its part, Google says it is aware of the issue, has made some changes and is working on others.