A security vulnerability in some Google apps on Android has everybody stirred up again, so let's put this into perspective. In this article we'll explain why the threat is overblown and not even Android specific.
Update: And besides that, a fix is already being deployed.
In case you missed it, researchers in Germany found that if they hooked up a piece of hardware called a packet sniffer to an unprotected WiFi network they could see "authorization tokens" being transmitted in the clear to servers used by certain apps like Google Calendar.
A token is a long gobbledygook string of characters that the server creates and uses instead of your password (which is kept secret). An attacker watching this token go by can write a program that uses it to pretend to be you for a limited time. For example if you connect to the server with a buggy version of Google Calendar while someone nearby is watching then they can read and write items in your calendar.
This kind of vulnerability is well known, and many applications have run into it over the years. For example, Facebook and Twitter had the same problem. Their solution was to turn on encryption all the time, not just for the initial password exchange. Encryption increases load on the server and client but obviously in this case it's worth it.
The story is getting a lot of attention because it was noticed on Android, but it's not, in fact, an Android vulnerability. It's a security bug in any program that does not encrypt its authorization tokens. Google Calendar, Contacts, and Gallery, which were shipped in all versions of Android prior to 2.3.4, are three such programs. There may be others. The Calendar plug-in for Mozilla Thunderbird, which is a program that runs on PC, Mac, and Linux is another. GMail is NOT affected. Nobody has found the problem in banking and shopping programs either.
When I first read about the problem I thought "meh, no big deal", but seeing the coverage today you'd think the world was coming to and end (we have until May 21st, remember?). Here are a few examples (emphasis mine):
Should you be worried? Until a patch is available (either through the Market or an Android update) the problem can be avoided by not using the affected applications in a vulnerable situation. What's a vulnerable situation? Based on the information we have so far, IF you sync your calendar or contacts while using the open WiFi of the local StarBucks or airport, and IF somebody within 50 feet or so of you is waiting for you to do that and is running a packet sniffer, and IF you think they might do harm by looking at your doctor's appointments and boyfriend's phone number, THEN you might want to take precautions such as turning off WiFi until you get back home to your secure network. Otherwise, in my opinion it's not worth getting too worked up about.
Update: Google is rolling out a fix to the problem already, for all phones and computers. According to a spokesman,
"Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."
The fix is on the server side, and will fix everything except Picasa. Current authentication tokens will be erased and replaced with new ones upon logging back in to the affected service. Go go gadget, instant cloud update!