Android Security Vulnerability Patched

On May 16, the Register posted a story about a pretty big security flaw in almost all versions of Android. The problem is that Android devices are sending authentication tokens over the air unencrypted in plain text. To make matters worse, these tokens do not expire quickly, but rather over days or weeks. Someone with control over a wifi router could intercept the transmissions and get access to user’s accounts.

This problem is fixed in the latest release of Android, 2.3.4, but only a very small percentage of users have this version.

Google acted quickly and on May 18 announced that the problem could be fixed by a server side change, so Android users would not have to worry about patching their devices. This fix is already deployed for calendar and contacts.

Also see MobileCrunch

My Take: Two thoughts. First, it is kind of scary that this problem has been around for so long without being noticed. Considering Android is open source you’d think someone would have discovered this. I presume someone will sue Google, even though no actual damages can be proven.

Second, Google got very lucky that they were able to solve this problem with a server side fix. Patches to Android have to be released by Google, then the OEMs have to create a build for their devices, and then the carriers have to approve it. That usually takes months. Only the Nexus devices get updates on Google’s schedule, but they represent a very small percentage of the Android population. ¬†Contrast this to Apple which was able to get out a patch to the “LocationGate” problem in two weeks. Can you imagine if Microsoft wasn’t able to release a Windows patch without permission of each OEM? This is a problem that Google needs to address in Ice Cream Sandwich.

Advertisements

About Lee J.

Mobile Guy!
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s