In the wake of Google's self-proclaimed momentum at the Google I/O conference last week, the creator of Android is getting hit with some stark realities about the security of its open-source operating system. A newly discovered flaw has widespread potential.
There are 100 million activated Android devices, according to Google, and 400,000 new devices are activated every day. In all, researchers at Ulm University in Germany who discovered the flaw last week estimate about 98 percent of Android users are vulnerable.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so," the researchers wrote in a blog. "Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."
How Bad Is It?
Google responded with an official statement: "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts. This fix requires no action from users and will roll out globally over the next few days."
As Mike Paquette, chief strategy officer at Top Layer Security, sees it, Google is dealing with a serious vulnerability -- and individual users could indeed lose confidential information.
Still, he added, this doesn't reach the "sky is falling" category since the attacker would require some level of physical proximity to the victim to steal the authentication tokens that would enable fraud, theft or loss.