/ Technology

Don’t fret about Android phones leaking your secrets

Android logo on mobile phone

Android phones “all leak secrets” if you believe the front page of today’s Metro. But should we be worried about this latest smartphone security scare, or will it be fixed before anyone’s data is actually stolen?

So what’s behind this headline? Well, three German boffins – Bastian Konings, Jens Nickels, and Florian Schaub – have been beavering away in a lab in the bustling metropolis of Ulm (no, me neither) trying to find a weak point in Google’s operating system.

Success came in the form of a ‘data leak which lets criminals steal users’ personal information’. Apparently at risk are the private calendars, contacts and pictures of any Android user, and it’s not something we can control ourselves.

Is your Android feeling insecure?

The problem stems from the way Android phones log in to web services, including Google Calendar, Contacts and photo apps – all integrated into the very heart of the operating system.

Security is managed using an authentication ‘token’. But in what must surely be seen as a D’oh! moment for anyone with a grasp of digital security, the token is sent unencrypted in plain text over non-secure networks.

This would be fine, were it not for the threat of ever-present bad guys, lurking near your wi-fi network, eavesdropping, and ready to pounce on your unencrypted data.

Once your tokens are theirs, it’s theoretically possible for the cybercriminals to pose as you and access whatever you’ve got stored for your contacts – email addresses, phone numbers, addresses, Twitter and Facebook IDs.

They could also mess with your calendar, wreaking havoc on anyone, like me, who has dispensed with a paper diary in favour of an always-synced fully-searchable online repository for my personal life. Mustn’t forget – I’ve got a dentist’s appointment next week, so I might scribble that on a post-it note just in case the hackers see messing up my dental hygiene schedule as a high priority.

How big’s the data risk?

Eagle-eyed readers may have spotted the critical word above: theoretical. So far, there are no reports of any real-world attacks exploiting this new vulnerability.

The security flaw is said to have been fixed in the latest smartphone version of Android – Gingerbread version 2.3.4, but the best estimate is that just 0.3% of Android phones are actually running this. Google Nexus S users, you should be thankful.

The rest of us will have to wait until our networks and handset manufacturers roll-out the latest update to all of us. This will take time, although I must confess I’m not too worried.

As with many so-called security risks, it’s wi-fi that’s the weakest link. Stick to networks you can trust, and try not to worry too much. Somebody, somewhere, will hopefully find the inevitable next data risk before it can harm you. Or has this latest issue made you less trusting of Google and your smartphone?


Well, that was quick and it looks like you were right Al. Google will be rolling out a fix, which will be on their server side fixing the authentication problems with Contacts and Calender – there will be no need for us Androiders (is that what we are) to do anything. No update needed… so no need to wait for manufacturers to stop sitting on their hands and get it out to us. Good news.

or bad news if you are waiting for the update from Orange 🙁

Simon says:
19 May 2011

Well done Which? for responding to the worrying Metro article. As a new Android user I was a tad worried, but I can sleep more easily now, thanks 🙂

You and me both.

Me too – glad to see that automatic fix. Although, as Al said, there may not have been as much cause for concern as headlines liked to make out!