Google Patches Up Security Hole Affecting Most Android Phones

  • Share
  • Read Later

Google has addressed the recently-reported security hole that potentially affected 99% of Android phones used on open Wi-Fi networks.

The issue was detailed in this post here, but the basic gist is as follows:

“[W]hen a vulnerable Android phone connects to the internet, the Google apps on that phone will attempt to synchronize with Google’s servers. Part of the synching process includes sending a username and password which, if it proves to be legit, is stored as a special 14-day pass (the “token”) so that you don’t have to provide your username and password every time you log in.

If data thieves were to set up a commonly-named Wi-Fi access point—it’d be named Linksys or Netgear or Starbucks or whatever—in a populated area and a bunch of people’s Android phones established connections to that access point, the evil-doers would be able to capture these tokens and then turn around and use that information to log into someone’s account.”

A Google representative told the Register that it started rolling out a fix yesterday, saying, “This fix requires no action from users and will roll out globally over the next few days.” As part of the update, Google will encrypt the data that gets synchronized between Android phones and its servers.

More on Security Hole Apparently Affects Just About Every Android Phone