Android phone data leak: What you need to know

Nearly all Android smart phones running a version of the operating system prior to 2.3.4 are potentially "leaking" sensitive data, according to researchers at the University of Ulm. Here's what you need to know to stay safe and keep your information to yourself.

What's the issue?

Certain Android applications, including ones officially bundled with the OS such as Calendar, Contacts and Picasa, send certain data, including authentication tokens (a form of password used to identify a user), in a clear rather than encrypted format.

Worse still, these tokens have a long life (up to 14 days) and aren't attached to the phone from which they originated. This means hackers could steal a legitimate user's credentials and use them elsewhere on a different handset.

Used securely, tokens are extremely useful, because they remove the need for users to log in to applications every time.

What's the risk?

Think of it like accessing your online banking service via a website that isn't secure. Theoretically, anyone could intercept that unencrypted data as it travels between your computer and the bank's server, stealing your password details or initiating false transactions.

Using insecure Android apps on open or hijacked wireless networks carries a similar risk. Although there's no evidence that such attacks are currently taking place, the hacking procedure is said to be relatively straightforward and could occur without the you knowing until the damage had been done.

Android software's default behaviour is to automatically connect to open wireless networks and then synchronise apps. This means data could be sent without you touching the phone.

What can I do to keep my phone and data secure?

Update your phone to Android 2.3.4 as soon as possible. Google reckons nearly all handsets (over 99 per cent) are still using older versions.

Unfortunately you may have to wait some time for your network provider to push out an update for your particular phone. You may be able to download an update manually, but you should check that it's from a legitimate source. Here's how to do it on a Nexus S.

Change default settings. Switch off the auto-synchronisation feature and tell your phone to forget old open networks, so it doesn't try to reconnect automatically in the future.

Use secure networks. Avoid using open (non-protected) Wi-Fi networks, convenient though they may seem. 

Remove non-essential personal data from your phone. The best way to protect your data is not to store it on your phone in the first place. You have to decide on a balance between the convenience of having information to hand and the risk of it going walkabout (a risk not limited to this particular issue). Perhaps sensitive information you may need to access could be stored on a password-protected website (without automatic login) instead of directly in the phone's memory.

Consider security software. We're not great fans of adding anti-virus software and the like to your phone, as it can bog things down for minimal advantage. With overall low risks and sensible phone usage, you can probably manage without, but if you're extra paranoid, by all means install some from a reputable company.

What is Google doing about this?

A Google spokesperson has issued this brief statement: "We're aware of this issue, have already fixed it for Calendar and Contacts in the latest versions of Android, and we're working on fixing it in Picasa."

Given the way Android updates, there's little else Google can do to get 2.3.4 on to phones. We hope Google will change some of the system defaults to make security a higher priority over convenience in subsequent updates.

Longer term, a unified Android OS under the Ice Cream Sandwich banner should allow security updates to be pushed out more quickly regardless of network or hardware.

Update 15:50: Included statement from Google.