Android phones and tablets running version 2.3.3 and earlier suffer from a Google app vulnerability on public Wi-Fi networks, according to a new report. However, there are some concrete steps you can take to protect yourself.
Seth RosenblattFormer Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Update, Wednesday at 11:45 a.m. PT:Google has issued a fix that forces the affected Google apps to connect via the secure protocol HTTPS. As long as you update your apps when the fix is pushed out, this public Wi-Fi vulnerability won't affect you. Until then, it's best to use public Wi-Fi with extreme caution or follow the instructions below.
Here's how it works. The vulnerability is in the ClientLogin Protocol API, which streamlines how the Google app talks to Google's servers. Applications request access by sending an account name and password via secure connection, and the access is valid for up to two weeks. If the authentication is sent over unencrypted HTTP, an attacker could use network-sniffing software to steal it over a legitimate public network, or spoof the network entirely using a public network with a common name, such as "airport" or "library." While this won't work in Android 2.3.4 or above, including Honeycomb 3.0, that only covers 1 percent of in-use devices.
Of course, the safest solution is to avoid using public, unencrypted Wi-Fi networks by switching to mobile 3G and 4G networks whenever possible. But that's not always an option, especially for Wi-Fi-only tablet owners or those on tight data plans.
One legitimate if painstaking option is to disable syncing for the affected Google apps when connected via public Wi-Fi. The security risk affects apps that connect to the cloud by using a protocol called authToken, not HTTPS. The apps tested by the researchers who wrote the report revealing the vulnerability included Contacts, Calendar, and Picasa. Gmail is not vulnerable because it uses HTTPS.
However, this a cumbersome fix, as it requires going into each app before you connect and manually disabling syncing during the time you're on the particular public Wi-Fi network. A much easier solution is to use an app. One of the best apps for secure communication is SSH Tunnel (download), which was designed for Android users stuck behind the Great Firewall of China. SSH Tunnel has some limitations: you must root your phone to use it, and the makers strongly advise people not in China to look elsewhere for a secure tunneling app.
Users of third-party custom ROMs like CyanogenMod ought to check what security enhancements their installed ROM comes with. CyanogenMod, for example, has VPN support built in and turned off. Cyanogen users can access it from the Settings menu, tap Wireless and Network Settings, then tap VPN Settings.
Given the fragmentation on Android devices, this is a severe security risk that is mitigated only by its limitation to specific apps and public networks. The ideal solution is for Google to release app fixes or Android updates as soon as possible, although the company has given no indication of what steps it plans to take, or when. As always when using public Wi-Fi networks, proceed with caution.