Google is patching the Android security hole

Google is patching the Android security hole

Summary: Just don't ask us how Google is repairing its Android Wi-Fi network security problem.


In the wake of the revelation that there's a huge security hole in Android's Wi-Fi communications with Google applications, Google told me and other journalists on May 18th that, "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days." Fair enough, but how?

Specifically, I asked Google, "Is this a server-side fix? A client-side fix that will be rolled out as an automatically applied patch? A change in the client settings to force the use of a secure connection? Some combination of all these? Will this 'fix' be deployed to other apps that use ClientLogin [the routine that has the security problem]? Is it a 'fix' to ClientLogin? Any details on how the fix will be deployed? In the U.S. first? Via the various carriers? OEMs?"

And Google answered, well, actually they never did answer. Darn it!

So, here's what I think Google is doing. I believe it must be a server-side fix since that's the one way Google can roll it out quickly and without getting the phone carriers and OEMs involved. The easiest way to do that is to simply disallow ClientLogin from working over any open, non-secured Wi-Fi connection. It's a kludge, but it should work.

At least, unlike Apple with its growing Mac Defender malware problem, Google admits to the problem and is addressing it. Apple still isn't even allowing its technical support staff to tell users how to rid themselves of malware.

If, as I suspect, Google is handling this on the server side, I believe the Android hole should be closed up within the week. I just wish I knew more about exactly how Google is going about this. Google? The ball is in your court now.

Related Stories:

Android has a gaping network security hole

The truth about the latest Google Android security scare (Updated)

99.7% of all Android smartphones vulnerable to serious data leakage

Most Android devices vulnerable to identity theft

Connect to a PPTP VPN from your Android phone

Topics: Smartphones, Android, Google, Hardware, Mobile OS, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Kudos to Google for acknowledging the flaw

    The challenge for Google now is to effectively deliver the security update to its disparate customer base. How rapidly will we see machines being updated?
    Your Non Advocate
    • RE: Google is patching the Android security hole

      If they are Verizon customers then 4 - 6 months sounds about right.
    • Kudos to them, yes, but Steven's comparison of situation with Mac Defender

      @facebook@... ... malware totally misses, since it has nothing to do with Apple's software problems (there is no error in the software).
      • I disagree

        @denisrs <br><br>Google acknowledges the flaw, Apple pretends theirs does not exist. <br><br>When the Exxon Valdez damaged the Alaskan coast, Exxon did everything within its power to deflect blame and liability from themselves. When Tylenol had their issue with bottle tampering, Tylenol was front and center, doing everything within its power to mitigate the issue.<br><br>Although it is too soon to tell if Google will behave with the corporate responsibility that Tylenol had, in this case Apple is certainly Exxon.
        Your Non Advocate
      • Which &quot;flaw&quot; is exactly in Apple's software?

        @facebook: there is nothing Apple can do if users willfully want to install malware.
  • not a fix

    Looks to me that they are only solving the issue for certain google services like mail and calender and that the vunerability will still exist for other apps, like it will still exist for Picasa
  • Google should still work with the carriers and OEMs... get things patched on their end (I think they'll be a bit more motivated than usual), but the server side fix is a start.
    John L. Ries
  • How?

    <em>The easiest way to do that is to simply disallow ClientLogin from working over any open, non-secured Wi-Fi connection.</em>

    How exactly would the servers know that the device is on a non-secured WiFi connection? And how exactly would this prevent someone "on the wire" between the WiFi AP and Google's services from sniffing the packets once they hit the wire?

    I would think that they are probably going to issue some sort of redirect when the clients hit the non-ssl version of the api, pushing them over to the ssl one (ie a 3xx code redirecting from http -> https).

    This could explain why Picasa wont be fixed in this, if the code used to access the system on the client side doesn't support redirection (hard coded urls, not following redirect replies), or that it simply sends along its authorization information without even hitting the system first.
  • medical transc

    security is an important issue now <br><br>posted :
  • RE: Google is patching the Android security hole

    Has their been any acknowledgement from Google on the coincidence that several Google/Android users are having trouble with gmail/calendars not syncing with their phones since this 5/21-22?
    What a nightmare!
  • RE: Google is patching the Android security hole

    Okay.......2 months have passed. Anybody know the status of Google's "fix"????
  • RE: Google is patching the Android security hole

    I like this kind mutual communication very much. I can learn much from that. The opinion that everyone gives also can be as useful information. <a href="">Steel Pipe Supplier</a>