Researchers from Ulm University in Germany have announced the discovery of an unpatched security flaw that currently leaves more than ninety-nine percent of Android users susceptible to having their private information harvested by way of Wi-Fi networks.
The flaw leaves unencrypted authentication tokens open to theft by hackers while users access Wi-Fi connections. The vulnerability exists on all devices running the Android 2.3.3 operating system or earlier versions.
"We were really surprised. Were we really the first ones to find this? Google offers more secure ways of interacting with its APIs," said Florian Schaub, one of the researchers who identified the security flaw.
The problem lies in the fact that the unencrypted authentication tokens, which grant permission to access various sets of stored information, can last as long as two weeks - plenty of time for a hacker who has lifted the tokens to use them to access sensitive data on a targeted victim's device.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," the researchers stated.
Google has eliminated the vulnerability in the latest Android release, version 2.3.4, but researchers point out that the majority of devices are not running the newer version, leaving 99.7% currently exposed.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," a Google spokesman said.
Fragmentation of the Android marketplace makes the prospect of getting the patch distributed to users all that much tougher, and there is simply no avenue available for consumers to download the updates directly.
Even after Google issues the fix, it will be up to individual carriers or the various manufacturers of smartphones and tablets running the operating system to make the security updates available to those in need.
Google has unveiled a program to address the issue of fragmentation in the marketplace, but it could be several years before the system is widely available.
Meanwhile, the explosion in smartphone and tablet popularity is outpacing the industry's ability to keep pace with the criminal hackers who are eager to exploit the lack of security and consumer naivete.
"The reality is, you're carrying around a desktop computer in your pocket -- but there's no security like there is on computers," said Dave Aitel, a former computer scientist for the National Security Agency, noting that smartphones are not equipped with antivirus and firewall protections when sold to consumers.
Juniper Networks released a report last week which reveals that samples of malware strains targeting devices running the Android operating system increased 400% between June of 2010 and January of 2011.
"People are just beginning to exploit these phones... You're going to see a steady drip of these," Aitel said.