Android phones are vulnerable to a flaw that could allow unauthorised parties to snoop on a user's Google calendar and contacts information.

Researchers from the University of Ulm in Germany found that an application using ClientLogin needs to request an authentication token (authToken) from the Google service by passing an account name and password via a HTTPS connection. However, if this authToken is used in requests sent over unencrypted HTTP, a third party can easily sniff the authToken. As the authToken is not bound to any session or device-specific information, a third party can subsequently use the captured authToken to access any personal data that is made available through the service API.

Writing in a blog post, researchers Bastian Könings, Jens Nickels and Florian Schaub said: “For instance, the adversary can gain full access to the calendar, contacts information or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events or private pictures.

“This is not limited to items currently being synced but affects all items of that user. The attack is very similar to stealing session cookies of websites (Sidejacking). The feasibility of Sidejacking attacks against well-known websites, such as Facebook or Twitter, has lately been demonstrated by the Firesheep plug-in which attracted a lot of attention.”

They also said that the vulnerability is not limited to standard Android apps, but to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS.

Graham Cluley, senior technology consultant at Sophos, pointed out that the scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street).

“According to the researchers, Google has fixed the problem in Android 2.3.4. But there's the rub. Just how many people are still running older versions of the Android OS? Approximately 99 per cent of Android users are vulnerable, as they haven't updated to at least version 2.3.4,” said Cluley.

“Unfortunately it's not always possible to easily upgrade the version of Android running on your phone, as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air. There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.”

Mark Evans, director at IT services provider Imerja, said: “That such an enormous proportion of Android phones could potentially be leaking users' personal data is shocking. Mobile devices are increasingly used for business, more so than laptops, and their security is essential to protect organisations against data breach or other ill-intentioned activities.

“The message to companies is clear; mobile devices must be properly secured – this goes beyond forcing employees to update operating systems on Android devices, as they should be implementing robust and enforceable security policy structures to support effective mobile working, such as encryption.”

Ron Gula, CEO of Tenable Network Security, said: “When it comes to mobile security, all smartphones and tablets share a common set of challenges: they carry lots of data; they are often riding around in someone's pocket where they can be easily misplaced; they transfer data over a network that can be intercepted; and they run applications that may or may not be well written.

“This is the case regardless of the mobile platform. The technology is often new and rapidly changing, so the potential for spyware is huge and all smart devices will continue to be a constant security concern now and in the future.”

A new survey by Forrester reveals 56 per cent of third party code is untested. Hear Forrester and SC magazine dissecting the results http://ow.ly/59hLF