How Cutting-Edge Technology & Science Are Powering The Future TPM Idealab
The security researchers' Friday revelation gained traction on the internet Tuesday as US blogs picked up the news that it is relatively easy to gain access to Android users' personal information in mobile applications such as their contacts list and calendar events.
The researchers said that hackers are able to do this when the apps use Google's ClientLogin protocol with an unsecure version of the Hypertext Transfer Protocol over open WiFi Networks.
"The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data," wrote Bastian KÃ¶nings, Jens Nickels, and Florian Schaub at the University of Ulm in Germany. "Private information of others is also affected, potentially including phone numbers, home addresses, and email addresses.
"Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."
Version 2.3.4 of Android and upward have fixed the issue by implementing https.
The development comes a few days before Google is scheduled to testify about wireless privacy in front of a Senate subcommittee on consumer protection.
The Federal Trade Commission's director of consumer protection and officials from Apple, the non-profit group Common Sense Media, Facebook, the Association for Competitive Technology will also testify.
The researchers' findings come after a series of other mobile privacy panics concerning both Apple and Android. Those spurred a recent hearing on the issue of mobile privacy at a Senate Judiciary Subcommittee helmed by Sen. Al Franken (D-MN.)