18
May
26-Android-security_thumb

Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:

Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

The vulnerability could only be exploited on public Wi-Fi networks - either by a sniffing attack, or SSID spoofing (a much more common method), and allowed an attacker to take a user's authToken for a particular service (eg, Calendar, Twitter, Facebook, etc.), and then use it to log in to the respective service and engage in whatever unscrupulous behavior they so desired.

The hole has already been plugged in Gingerbread 2.3.3, as well as in Honeycomb, but the number of Android devices running those versions of the OS is obviously miniscule. Clarification: The fix is going out server side - meaning local authTokens will be erased and replaced with new (secure) ones upon logging back in to the affected service. Thanks to commenters for pointing this out.

AllThingsD

David Ruddock
David's phone is an HTC One. He is an avid writer, and enjoys playing devil's advocate in editorials, imparting a legal perspective on tech news, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Dbagjones

    The question is now, will this fix break anything on custom ROMs?

    • David Ruddock

      Of course it technically could, but that seems exceedingly unlikely. The nature of the fix is pretty agnostic of any major OS functions, I would think. But who knows.

  • Victor

    My question is why don't they just always roll out updates like this?

    • David Ruddock

      The fix is probably able to be implemented on any device without much need to be concerned with hardware or software-specific compatibility issues arising.

      And Google is definitely not responsible for updating the OS on specific devices - that's the job of manufacturers.

      • http://droidsamurai.blogspot.com PixelSlave

        >> And Google is definitely not responsible for updating the OS on specific devices – that’s the job of manufacturers.

        Unlike a desktop OS, there's no retail version of Android. So, we consumers can't just go out and purchase Gingerbread and install it onto our phone. Which means, we are at the mercy of the manufacturers to keep us updated. And you know what, they are hardware makers. Their best interest is to sell us new hardware, not keeping our old one alive. Therefore, Google is the ultimate source we can rely on.

  • Larry M

    Now if Google would only use this mechanism to give all of us Android users a means to take our phones back to stock Android, and remove any OEM skinned UIs.

    One can dream, right?

  • Eddie

    Anyone knows what APK will Google install to fix this?

    • http://htcsensationblog.com/ ZohMan

      coming soon on 2.3.5, lol

  • JCopernicus

    This is being fixed server side. It has nothing to do with updating android coding. It was never a platform problem, it was a security measure problem. They're probably killing all tokens.
    This was never an "android problem".

  • Matt M

    My question is, how would you know if you got the silent patch....

    • Simon Belmont

      There is no patch per se. The fix is on the server, in regards to authTokens.

      Your phone's software will not be changed at all with this fix. It will just use more secure authTokens from this point on.

  • SiliconAddict

    Don't get too cocky. There still is fragmentation. All they did was fix this server side and left a hole in Picasa. Of course if you actually dug into this before posting you know know this. For once...I can't believe I'm saying this. Engadget's reporting is pretty much accurate and fair.

    http://www.engadget.com/2011/05/18/google-confirms-android-security-issue-server-side-fix-rolling

    iTard and Fandroids alike are under and over playing the role that fragmentation has. Is there a problem? Yes. Is it as big as iTards make it out to be? No. Has it been driving carriers nuts? Hell yes.

    • David Ruddock

      We've updated to address this - our source (AllThingsD) was very cryptic about how the fix was being implemented, and at the time I wrote this earlier today, they were the only source available.

      We take the accuracy of our articles seriously, and we presumed Google was taking steps similar to the ones they had in tackling recent malware problems. We were incorrect in that assumption, and apologize.