In the wake of the revelation that there's a huge security hole in Android's Wi-Fi communications with Google applications, Google told me and other journalists on May 18th that, "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days." Fair enough, but how?
Specifically, I asked Google, "Is this a server-side fix? A client-side fix that will be rolled out as an automatically applied patch? A change in the client settings to force the use of a secure connection? Some combination of all these? Will this 'fix' be deployed to other apps that use ClientLogin [the routine that has the security problem]? Is it a 'fix' to ClientLogin? Any details on how the fix will be deployed? In the U.S. first? Via the various carriers? OEMs?"
And Google answered, well, actually they never did answer. Darn it!
So, here's what I think Google is doing. I believe it must be a server-side fix since that's the one way Google can roll it out quickly and without getting the phone carriers and OEMs involved. The easiest way to do that is to simply disallow ClientLogin from working over any open, non-secured Wi-Fi connection. It's a kludge, but it should work.
If, as I suspect, Google is handling this on the server side, I believe the Android hole should be closed up within the week. I just wish I knew more about exactly how Google is going about this. Google? The ball is in your court now.