On May 16, the Register posted a story about a pretty big security flaw in almost all versions of Android. The problem is that Android devices are sending authentication tokens over the air unencrypted in plain text. To make matters worse, these tokens do not expire quickly, but rather over days or weeks. Someone with control over a wifi router could intercept the transmissions and get access to user’s accounts.
This problem is fixed in the latest release of Android, 2.3.4, but only a very small percentage of users have this version.
Google acted quickly and on May 18 announced that the problem could be fixed by a server side change, so Android users would not have to worry about patching their devices. This fix is already deployed for calendar and contacts.
Also see MobileCrunch
My Take: Two thoughts. First, it is kind of scary that this problem has been around for so long without being noticed. Considering Android is open source you’d think someone would have discovered this. I presume someone will sue Google, even though no actual damages can be proven.
Second, Google got very lucky that they were able to solve this problem with a server side fix. Patches to Android have to be released by Google, then the OEMs have to create a build for their devices, and then the carriers have to approve it. That usually takes months. Only the Nexus devices get updates on Google’s schedule, but they represent a very small percentage of the Android population. Contrast this to Apple which was able to get out a patch to the “LocationGate” problem in two weeks. Can you imagine if Microsoft wasn’t able to release a Windows patch without permission of each OEM? This is a problem that Google needs to address in Ice Cream Sandwich.