Google has confirmed that it will release a server-side patch for a vulnerability in its Android OS.
According to Network World, a Google spokesperson said: “We are starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
“This fix requires no action from users and will roll out globally over the next few days."
The flaw could allow unauthorised parties to snoop on a user's Google calendar and contacts information, according to research from the University of Ulm in Germany. There, researchers Bastian Könings, Jens Nickels and Florian Schaub found that an application using ClientLogin needs to request an authentication token (authToken) from the Google service by passing an account name and password via a HTTPS connection. However, if this authToken is used in requests sent over unencrypted HTTP, a third party can easily sniff the authToken.
Graham Cluley, senior technology consultant at Sophos, said: “Google reckons the work will be complete, and all devices secured from this vulnerability, within the week by forcing its servers to use an encrypted HTTPS connection when Android phones try to sync with them.
“So, it's a very good thing that this problem is being fixed. Of course, concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.”