As expected, Google is issuing an update that should resolve the unencrypted Wi-Fi vulnerability caused with stolen credentials, or authToken, instead of waiting for the world to upgrade to Android 2.3.4 Gingerbread or Android 3.0 Honeycomb. The fix should roll-out globally within the next few days, and users will not be required to make any changes.
The vulnerability, or “potential security flaw” in Google’s words is specific to catching authToken while Android devices were communicating with Google servers over an unencrypted Wi-Fi network giving access to synchable data in Contacts, Picasa, and others. It’s quite apparent the fix being rolled-out is all back-end, with the way the network handles credentials, connecting to a more secure HTTPS server instead. The fix doesn’t resolve all the issues however, and the Gallery app, made by a third party, will still leak data when communicating with Picasa. No news on when that fix will arrive.
[RELATED_ARTICLE]While the response was relatively swift, the almost elementary flaw shouldn’t have existed in the first place, and definitely not for so long after it was fixed, even if unknowingly, with Android v2.3.4 Gingerbread. However, connecting to open Wi-Fi networks with a mobile device is never too wise anyway, unless you have other measures in place.
A few words of caution: even after the update has rolled-out in your region, try not to use open Wi-Fi networks, or at the very least be careful what you are doing in them – turn off auto-synching, no important personal/financial information, etc.. Updating your Android phone to the latest Gingerbread is the best solution, if possible, but we suspect Ice Cream Sandwich will arrive before a large 99% of the Android user base, with versions lower than 2.3.4, ever gets that update.
Image courtesy: Ulm University