Several days ago, researchers at Germany's University of Ulm published data validating a flaw suggested earlier by Rice professor Dan Wallach that allows you to nab and utilize authentication tokens for certain Google services leaked by Android over unsecured WiFi. In a nutshell, that means a hacker could view and modify your calendar and contact entries and see any photos you've got stored in Picasa's online component. It turns out that Android 2.3.4 moves Calendar and Contacts to encrypted connections, but Picasa remains unprotected as long as a bad guy's within range and he's sniffing packets -- and considering that the overwhelming majority of the world's Android devices are still running builds prior to 2.3.4, there's actually very little practical relevance to the fix at this point.
Of course, that underscores one of Android's biggest weaknesses: new features and performance improvements aside, Google's inability to quickly deploy security patches to every Android device around the world in a timely fashion is a particularly scary downside. It's one of the tangible benefits of Apple's monolithic, we-control-every-part-of-the-experience model -- and the recent global release of iOS 4.3.3 to "fix" location tracking underscores that particularly well.
Well, in this case, Google's found a creative workaround: for Calendar and Contacts specifically, it's deploying a server-side fix instead, which speaks to the close relationship Android enjoys with the cloud services that ship on it. There's no user download, no OTA firmware update, nothing for carriers to approve, no red tape that takes months to cut. Picasa's vulnerability is still under investigation, but we can probably all agree that it's slightly less dangerous of a security flaw than the other two are (not much less dangerous, but a little). Here's the full statement out of Mountain View:
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."
That's great news -- but by all appearances, Google just "lucked out" here by the nature of the vulnerability. The firmware bureaucracy could still very well trip them up down the road, and that's something we're all hoping gets solved to some degree by the 18-month upgrade pact announced at I/O last week.