Researchers in Germany have uncovered a security flaw in Android. Frighteningly, 99 percent of Android users are presently affected, as the flaw hits users who are presently on any version of the OS lower than the most recent 2.3.4 – So basically anyone who doesn't have an updated Nexus One or Nexus S.
The security flaw is from a lack of secure connection between Android and Google's authentication system. When a user submits login credentials for Calendar or Contacts, Google returns an authentication token that's sent over HTTP. That token can be used for 14 days for access to a user account.
This problem doesn't affect Android versions 3.0 or 2.3.4 as much as it does all the versions before it, as they use HTTPS for Calendar and Contacts. Picasa, however, remains transmitted insecurely.
Researchers say that hackers can easy extract this information from an Android phone through the use of a fake, "dummy" wireless network that a user's phone would try to connect itself to.
This oversight is a huge problem as the vast majority of Android devices don't have the immediate access to new versions like the Nexus phones do. Fortunately, Google is able to implement a server side fix that should patch things up for Calendar and Contacts on all Android versions, though Picasa is still a question mark.
Reported by Computerworld, Google's official statement is:
(Get apps for your Android OS smartphone from our downloads section)