Google rolls out security fix for Android data leak flaw

Google Android LogoA report surfaced earlier this week indicating that there’s a security risk affecting 99 percent of Android devices. That’s a pretty large number, and Google unsurprisingly responded swiftly, bringing the hammer down on the Android OS with a shiny, new fix.

News of the potential security issue came from research conducted at Germany’s University of Ulm. The flaw affects all versions of Android version 2.3.3 or older and stems from the authentication protocol ClientLogin. Basically, your average app communicates with Google to request an “authentication token” (authToken) by sending over the device user’s account name and password via a secure connection. The authToken lives for no more than 14 days, but it can be reused during that time and there’s a danger of it being captured by an “adversary,” who would then be able to extract any personal data exchanged by the app. Follow the source link for a much more knowledgeable (and technical) explanation, but that’s the basic gist of it.

Not the cataclysmic security flaw that the “99 percent of all devices are affected” statistic might suggest, but worrisome enough. Especially in this particular moment, when many of us are acutely aware of private data security concerns following Sony’s recent troubles. The security update from Google has already started to roll out, as the company revealed in a statement to Digital Trends:

“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.”