Just yesterday, Google admitted that it has yet to fully fix the security flaw in Android that allowed usernames and passwords for Google Calendar, Facebook, Twitter, Picasa, and other services to be easily stolen via unencrypted WiFi networks. Although Android 2.3.4 addressed most of the concerns, most folks still cannot get the update to their devices. Thankfully, Google today confirmed that they’re rolling out a server-side fix that should take care of all users.
Researchers in Germany discovered that Android had been using cleartext authentications tokens that contain login data for up to fourteen days, which could then be intercepted when an Android device is connected to an unencrypted WiFi network. Hackers could setup unencrypted WiFi networks in public locations that pretend to be common public networks such as from T-Mobile and Starbucks. Android devices automatically connect to previously known networks and also automatically attempt to sync apps. Syncing in these instances would fail, but the authTokens would then be captured.
Android 2.3.4 addressed these issues for Google Calendar and Contacts, but Picasa remained vulnerable. The fix today, however, still does not address the Picasa vulnerability. Google is still trying to figure that one out. But the good news is that it will at least address most of the issues for folks stuck with older versions of Android, since this server-side fix will not require rolling out updates to each of the millions of Android handsets out in the world.
[via Android Community]