Android Phones Leaking Secret Account Credentials

Google has begun distributing a patch to address a security flaw in all but the latest versions of its Android mobile operating system. The vulnerability could allow an attacker to snoop on phones used on unencrypted Wi-Fi networks to gain access to calendar and contacts information. “This fix requires no action from users and will roll out globally over the next few days,” Google said. The update forces an HTTPS connection to encrypt traffic from Android devices to Google Calendar and Contacts servers, so an attacker listening in on an unprotected Wi-Fi network cannot intercept the authentication tokens, known as authTokens, used to validate devices. Google’s fix is being implemented on the server side, meaning it does not require a software update. Google is still investigating whether the issue affects its Picasa Web Albums service, which is reportedly also affected.