In the wake of the revelation that there’s a huge security hole in Android’s Wi-Fi communications with Google applications, Google told me and other journalists on May 18th that, “Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.” Fair enough, but how?
Specifically, I asked Google, “Is this a server-side fix? A client-side fix that will be rolled out as an automatically applied patch? A change in the client settings to force the use of a secure connection? Some combination of all these? Will this ‘fix’ be deployed to other apps that use ClientLogin [the routine that has the security problem]? Is it a ‘fix’ to ClientLogin? Any details on how the fix will be deployed? In the U.S. first? Via the various carriers? OEMs?”
And Google answered, well, actually they never did answer. Darn it!
So, here’s what I think Google is doing. I believe it must be a server-side fix since that’s the one way Google can roll it out quickly and without getting the phone carriers and OEMs involved. The easiest way to do that is to simply disallow ClientLogin from working over any open, non-secured Wi-Fi connection. It’s a kludge, but it should work.
At least, unlike Apple with its growing Mac Defender malware problem, Google admits to the problem and is addressing it. Apple still isn’t even allowing its technical support staff to tell users how to rid themselves of malware.
If, as I suspect, Google is handling this on the server side, I believe the Android hole should be closed up within the week. I just wish I knew more about exactly how Google is going about this. Google? The ball is in your court now.
Related Stories:
Android has a gaping network security hole
The truth about the latest Google Android security scare (Updated)
99.7% of all Android smartphones vulnerable to serious data leakage
