GCN LAB IMPRESSIONS

Google's handling of Android flaw should be a lesson for Sony

It almost seems like we aren’t safe anywhere these days. After hackers invaded my favorite gaming system, the PlayStation 3, I was shocked. Now it looks like there is a huge problem with my Android phone. Is nothing sacred?

However, where Sony totally dropped the ball on getting the word out about security, Google is running fast and hard to head off even the potential of problems associated with Android phones.

In the case of the Android, your phone is only vulnerable in limited circumstances. Specifically, if you connect your phone over an unsecured wireless network, a hacker can sniff out that data and then directly access your data. They would be limited to viewing or changing your calendar data, viewing your photos and stealing your contacts. Everything else would be safe.

Oddly enough, if you have the latest version of the Android OS, 2.3.3, you are immune to this problem, which was first discovered by researchers at Ulm University in Germany, and thankfully not by malicious hackers. That older OSs are in trouble is typical of things on the PC side, where older versions of operating systems are often susceptible to worms and hacks that have long since been patched.

The problem with Android phones is that most people don’t upgrade the OS. In fact, if you look at the number of users, you might be surprised to learn that the vast majority of them, as of the writing of this column, are at least two full versions behind the current one. Some are still using the version of the OS that shipped with their devices at launch years ago!

The reason for the heavy backlog on upgrades is that, although most people love their Android phones, the update process is a bear and a half. It takes forever to upgrade to the latest OS, so after doing it once, people don’t want to try it again. Why stick your hand into a fire twice? Thankfully, Google found a way to fix this current problem without requiring an update. They simply required that calendar and other apps use an HTTPS connection instead of the unsecured HTTP one they use now. No need to do anything. You will be protected in a few days even if you have an older OS version.

So a big thanks to Google for taking security seriously, and for doing everything right. Contrast their actions with how Sony bungled their hack, and you’ll see why the Android platform has such a following.

The bottom line, though, is that you’re really not safe anywhere. Hope for the best but fear the worst. And plan accordingly.

About the Author

John Breeden II is a freelance technology writer for GCN.

Reader Comments

Fri, May 20, 2011

The latest version is 2.3.4, not 2.3.3

Fri, May 20, 2011 Derek H

Where are you getting this garbage about Android phones being difficult to update? I keep hearing this myth on the radio, TV, etc. I had my Android OS updates pushed to me automatically, painlessly literally while I slept -- the issue is whether the HARDWARE is able to support the new OS loads. My Nook Color only JUST got B&N's version of 2.2 last month. 2.3.3? I'm not holding my breath.

Fri, May 20, 2011

A significant reason why phones run old versions of Android is because phone manufacturers and/or mobile operators don't keep them up to date. Why would they want to prolong the usefulness of *your* device at the expense of new device sales?

Thu, May 19, 2011 Gary Sydney

Let's see, the "hole" was reported feb 22 (http://www.freedom-to-tinker.com/blog/dwallach/things-overheard-wifi-my-android-smartphone). How is that in anyway conceivable that Google handled this flaw better than Sony? I have both a PS3 and an Android and have no issue with the way either company has handled things.

Thu, May 19, 2011 W!re$hark3r

This report while true does not cover the technicalities of the hole, the researchers at Germany's University of Ulm state "To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks" You need to be within Wireless range of the adversary for the data to be intercepted. Whats also interesting is would intercept data from any connected device, mobile or laptop!!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above