Google is patching the Android security hole

Summary:Just don't ask us how Google is repairing its Android Wi-Fi network security problem.

In the wake of the revelation that there's a huge security hole in Android's Wi-Fi communications with Google applications, Google told me and other journalists on May 18th that, "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days." Fair enough, but how?

Specifically, I asked Google, "Is this a server-side fix? A client-side fix that will be rolled out as an automatically applied patch? A change in the client settings to force the use of a secure connection? Some combination of all these? Will this 'fix' be deployed to other apps that use ClientLogin [the routine that has the security problem]? Is it a 'fix' to ClientLogin? Any details on how the fix will be deployed? In the U.S. first? Via the various carriers? OEMs?"

And Google answered, well, actually they never did answer. Darn it!

So, here's what I think Google is doing. I believe it must be a server-side fix since that's the one way Google can roll it out quickly and without getting the phone carriers and OEMs involved. The easiest way to do that is to simply disallow ClientLogin from working over any open, non-secured Wi-Fi connection. It's a kludge, but it should work.

At least, unlike Apple with its growing Mac Defender malware problem, Google admits to the problem and is addressing it. Apple still isn't even allowing its technical support staff to tell users how to rid themselves of malware.

If, as I suspect, Google is handling this on the server side, I believe the Android hole should be closed up within the week. I just wish I knew more about exactly how Google is going about this. Google? The ball is in your court now.

Related Stories:

Android has a gaping network security hole

The truth about the latest Google Android security scare (Updated)

99.7% of all Android smartphones vulnerable to serious data leakage

Most Android devices vulnerable to identity theft

Connect to a PPTP VPN from your Android phone

Topics: Smartphones, Android, Google, Hardware, Mobile OS, Mobility, Security

About

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.His work has been published in everything from highly technical publications... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.