Skip to main content

The Globe and Mail

Android smart phones face data breach threat

Owners of Android smart phones are being warned to avoid public WiFi networks after researchers found a security flaw that could affect the vast majority of devices based on Google's software.

A trio of researchers at Ulm University in Germany found that it was "quite easy" for hackers to intercept data from Google's photo-sharing, calendar and contacts applications, as well as potentially other Google services such as Gmail, using a flaw that affects 99 per cent of all Android devices.

The revelation will again put the spotlight on Google's approach to security with its mobile operating system, which is the most popular software for smartphones in the world. The security flaw has been fixed in Android's 2.3.4 version of its operating softwares and beyond.

Story continues below advertisement

In March, Google was forced to remove more than 50 rogue applications, which could have stolen data or sent costly messages, from tens of thousands of Android devices.

The attack works when unsecured wireless access points that imitate public WiFi hot spots that the phone has accessed before - such as a coffee shop chain - capture an authentication token.

That token can then be used by attackers to access and modify personal data in Picasa, Google's photo site, Calendar and Contacts. Business customers using Google apps on Android are not affected by the weakness because all traffic is encrypted by default.

"The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data," said the Ulm researchers in a posting on their website.

"Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored e-mail address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

Google said of the flaw: "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa."

However, according to the researchers, the flaw still affects devices running older versions of Android, which make up 99.7 per cent of Google smartphones in use today.

Story continues below advertisement

"The latest research just shows that Android users need to be even more careful with their phones than they are with their PCs," said Omri Sigelman, vice-president of AVG Mobilation, a provider of security software for Android.

"All platforms are vulnerable to hackers, particularly at the beginning of their lives, but the openness and popularity of Android means that it is especially at risk. Sadly, many operators don't provide the necessary updates, leaving their users vulnerable to critical flaws like this one."

The Ulm researchers recommended that Android users turn off "automatic synchronisation" in the settings menu when connecting with open WiFi networks and let their devices "forget" wireless networks they have used previously.

"The best protection at the moment is to avoid open WiFi networks at all when using affected apps," they wrote.

Report an error
Comments are closed

We have closed comments on this story for legal reasons. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

Combined Shape Created with Sketch.

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.