Sigh
I posted this very problem on android stackexchange before Christmas. It is terrible that nobody took this seriously - especially with the fuss about the Firesheep plugin for Firefox.
:(
Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks. "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data …
You'd think that a company like Google would know better than letting identification go through unencrypted channels (even a one-time token). Especially on a mobile device, which is deemed to connect through non-secure or even hostile networks. Calendar and contact ar not banking-site-grade things but still can be used to build further attacks, notably social engineering ones. Potentially not good.
Good that they fixed that one, and from the server side too, no problem from laggard network operators failing to release the upgrade to their clients.
I should coco and rightly so! Data protection act 1998 anyone?
The guidelines here are useful; http://www.ico.gov.uk/for_organisations/data_protection/security_measures.aspx ; in particular this little gem:
# Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
So a plain text authkey which doesn't expire for a fortnight but which is, potentially, "safeguarding" some pretty personal information, was a complete joke. Glad they fixed it... err... they really have fixed it though right?
Was this ever exploited? No.
Would this ever have been exploited? Probably not.
Amazing the amount of media sensationalism there is over this (the front page of The Metro - really?!), it almost makes you wonder if one big tech company might be spending money smearing another... nah - that would never happen!
Unfortunately, whilst Google's change might protect against passive sniffers, it doesn't protect against a man-in-the-middle attack. This is easy to mount:
* Attacker inserts their own server pretending to be Google
* Fake server says that it can only do HTTP
* Phone happily connects to it
* Fake server opens a separate HTTPS connection to Google
* Fake server copies traffic back and forth, reading and/or modifying it as it goes
This can only be properly fixed client-side. The client code must not fallback to HTTP, and the client must validate the certificate of the server it's talking to.
INT WTF? They by default or via user-activated Wi-Fi usage set phones to help Google map out every known or unknown unique, detected Wi-Fi hotspot and had tables logging away on the phone. Now, we find -- and I've suspected all along -- that the calendar and contacts list could be exploited. I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up.
If one wants to think conspiratorially, this could EASILY and HANDILY serve the needs or desires of domestic intelligenc agencies of various countries. They could just hoover up the stuff and then build a portfolio, using, say, Visual Analytics-like apps, to monitor clusters of individuals and map them to associations and coincidental convergences and locations.
How could Google NOT know this. I think that one day we're going to find that Google is a increasingly compelled to become a tool manipulated by intelligence agencies, google-complying or not.
"I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up."
If you don't want to use Gmail, contacts, Google calendar, or in fact, *any* Google service, you don't have to! If you do, then you're outsourcing your privacy and security to them, you have the choice.
My Android is bent to my will, the only interaction it has with Google is the Gmail logon I created the first time I turned it on, just to enable the Market, with no personal details, linked to nothing else and not used.
That's the thing, whilst Google is almost as bad as Apple, but you have the options to not give them anything you don't want to.