back to article Google rolls out fix for Android security threat

Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks. "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data …


This topic is closed for new posts.
  1. Anonymous Coward


    I posted this very problem on android stackexchange before Christmas. It is terrible that nobody took this seriously - especially with the fuss about the Firesheep plugin for Firefox.


  2. Adze
    Thumb Up

    It took a bit of prompting from the tech media...

    ...but nice one Google, kudos. Not a lot of kudos, granted.

  3. ElReg!comments!Pierre

    You'd think they'd know better

    You'd think that a company like Google would know better than letting identification go through unencrypted channels (even a one-time token). Especially on a mobile device, which is deemed to connect through non-secure or even hostile networks. Calendar and contact ar not banking-site-grade things but still can be used to build further attacks, notably social engineering ones. Potentially not good.

    Good that they fixed that one, and from the server side too, no problem from laggard network operators failing to release the upgrade to their clients.

    1. Darren 12

      14 days

      It isn't a "one-time token". The tokens are valid up to a maximum of 14 days and are sent every time the relevant app is opened or synced. All this means is that Google didn't consider that contact and calendar data were important. They've obviously changed their minds now.

      1. Adze

        "They've obviously changed their minds now..."

        I should coco and rightly so! Data protection act 1998 anyone?

        The guidelines here are useful; ; in particular this little gem:

        # Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.

        So a plain text authkey which doesn't expire for a fortnight but which is, potentially, "safeguarding" some pretty personal information, was a complete joke. Glad they fixed it... err... they really have fixed it though right?

  4. Stefing

    A lot of fuss over...

    Was this ever exploited? No.

    Would this ever have been exploited? Probably not.

    Amazing the amount of media sensationalism there is over this (the front page of The Metro - really?!), it almost makes you wonder if one big tech company might be spending money smearing another... nah - that would never happen!

  5. probedb


    I guess we'll get this on O2 phones sometime in the next century then....

    1. Dave Murray

      Learn to read

      This is a server side fix so you'll get it immediately as it has nothing to do with O2, your phone or it's manufacturer.

  6. Anonymous Coward

    unless you have an Orange branded phone

    then you are unlikely to see any sort of update for a while, we are still waiting for 2.3.3!

    1. John Robson Silver badge

      Read it again

      A) Cyanogenmod (other aftermarket firmwares are available)

      B) It's a server side fix (refusing the HTTP connection makes handsets try HTTPS)

  7. PartTimeLegend
    Paris Hilton

    The title is required, and must contain letters and/or digits.

    Are they making this change server side or client side? I would presume this would be server side, as there are just too many variables to consider client side.

    Paris, because there is no Google icon.

    1. Chris 2

      beedly boodly beep

      "Are they making this change server side or client side?"

      It's, er, right there in the article...

      1. B Candler Silver badge

        This is no fix

        Unfortunately, whilst Google's change might protect against passive sniffers, it doesn't protect against a man-in-the-middle attack. This is easy to mount:

        * Attacker inserts their own server pretending to be Google

        * Fake server says that it can only do HTTP

        * Phone happily connects to it

        * Fake server opens a separate HTTPS connection to Google

        * Fake server copies traffic back and forth, reading and/or modifying it as it goes

        This can only be properly fixed client-side. The client code must not fallback to HTTP, and the client must validate the certificate of the server it's talking to.

  8. Anonymous Coward
    Thumb Up

    Good against providers doing DPI

    This is very good news, especially since Vodafone and KPN in the Netherlands have admitted to doing Deep Packet Inspection, which means that they could have your authentication token even when connecting over 3G.

    1. TeeCee Gold badge
      Black Helicopters

      Vodafone NL and KPN doing DPI?

      I wonder what phorm that inspection takes?

  9. PartTimeLegend

    I do look daft

    Just read the email from Dan where he says to read the article again.

    Mine's the one with my glasses in the pocket.

  10. dssf

    How could they NOT take this seriously?

    INT WTF? They by default or via user-activated Wi-Fi usage set phones to help Google map out every known or unknown unique, detected Wi-Fi hotspot and had tables logging away on the phone. Now, we find -- and I've suspected all along -- that the calendar and contacts list could be exploited. I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up.

    If one wants to think conspiratorially, this could EASILY and HANDILY serve the needs or desires of domestic intelligenc agencies of various countries. They could just hoover up the stuff and then build a portfolio, using, say, Visual Analytics-like apps, to monitor clusters of individuals and map them to associations and coincidental convergences and locations.

    How could Google NOT know this. I think that one day we're going to find that Google is a increasingly compelled to become a tool manipulated by intelligence agencies, google-complying or not.

    1. Matthew Collier


      "I think I have not put a damned thing on the calendar out of fear of being exploited. But, prior 2011 (IIRC), Google made it MANDATORY that the android phone and the google contacts be sync'ed up."

      If you don't want to use Gmail, contacts, Google calendar, or in fact, *any* Google service, you don't have to! If you do, then you're outsourcing your privacy and security to them, you have the choice.

      My Android is bent to my will, the only interaction it has with Google is the Gmail logon I created the first time I turned it on, just to enable the Market, with no personal details, linked to nothing else and not used.

      That's the thing, whilst Google is almost as bad as Apple, but you have the options to not give them anything you don't want to.

  11. sproot
    Big Brother

    Unfortunately Matthew

    They know who you are because you're in my contacts, linked by your phone number, and listed with your address and other email addresses.

    There is no escape.

    1. Anonymous Coward

      Cyanogen + sunny weather

      #1 get a real firmware

      #2 why the fuck do Linux users have to sync Android over the "cloud"? Got my own servers: if data leaks I'll blame myself but last thing I need is Apple-style nursery.

      - p

This topic is closed for new posts.

Other stories you might like