UPDATED: More than 99% of smartphones that use Google's Android operating system leak information that could lead to users' personal data being stolen, German researchers have claimed.
Hackers can gain access to phone users' log-in details, to Google Calendar, Google Contacts and possibly other services by intercepting a phone's attempts to connect to Wi-Fi networks, the researchers claim.
The information that can then be accessed includes personal data belonging to the user and of other people whose contact information is stored on the phones' applications, the researchers said.
Google has said that the problem will be fixed within days. "This fix requires no action from users and will roll out globally over the next few days," said a Google spokeswoman.
"The implications of this vulnerability reach from disclosure to loss of personal information for the [Google] Calendar data. For [Google] Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses," the researchers Bastian Könings, Jens Nickels and Florian Schaub said in a blog post
about their discovery.
"Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business," the researchers said.
Authentication tokens record log in details that phone users enter to gain access to applications for 14 days, the researchers claimed. The information is exposed when the phone tries to make a connection with Wi-Fi networks, the researchers said.
"With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture [authentication tokens] for each service that attempted syncing. Due to the long lifetime of [authentication tokens], the adversary can comfortably capture a large number of tokens and make use of them later on from a different location," the researchers from Ulm University said.
The flaw is evident in versions of Android 2.3.3 and has been fixed for later versions of the software, the researchers said. But according to Google's own figures, only 0.3% of their Android users use subsequent versions of the software.
The researchers found that Google's photo sharing website Picasa still used unencrypted authentication tokens in an updated version of Android.
A Google spokesman said that the company was aware of the problem.
"We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa," the Google spokesman said.
Researchers Könings, Nickels and Schaub said Android users should use secure internet connections to log into accounts and use the phones settings to switch off "automatic synchronisation" of applications when connecting to open Wi-Fi networks.
"Update your phone to the current Android version as soon as possible. However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone," the researchers also advised users.
Google should "drastically limit" the length of time that authentication tokens store log in details, the researchers said.
Google could restrict how applications connect to Wi-Fi networks, the researchers said.
"Automatically connecting to known Wi-Fi-networks could be limited to protected networks. At least a respective option should be provided to users," the researchers said.
Könings, Nickels and Schaub also said Google services could reject log-in requests from the flawed system that come from insecure internet connections and "enforce use" of more secure networks.
The researchers said that they had built on research by Professor Dan Wallach who in February revealed vulnerabilities with how Android protected users' access details for Facebook, Twitter and Google Calendar applications. These latest claims follow a spate of recent high-profile stories about data leaks.
Earlier this month Symantec, a security research company, said it had found flaws in Facebook software that could allow other companies, such as advertisers, access to user accounts.
Recently software giant Sony admitted that it had been the subject of a hack to its Sony Online Entertainment system and PlayStation Network. The company said that more than 100 million users' personal data could have been stolen. The PlayStation Network has only recently been restored following the attack.