Yesterday we caught wind of an issue with Android versions 2.3.3 and earlier that saw stored authTokens leaking personal data over unencrypted networks. As you might expect, Google is responding quickly to the problem that they already addressed in Android 2.3.4 and higher, but still affects 99 percent of handsets running their mobile OS.
The patch will make sure your contact and calendar data is safe, though Picasa information is a different story. Google says something else needs to be done to tackle that issue, but the good news is the initial fix should begin hitting phones over the next few days. You most likely won’t even realize the patch was installed. You know, because Google can do things like that, pushing over-the-air updates to your phone with you none the wiser.
[via Gizmodo]
whats the deal with rooted phones with custom ROMs?
do we get these kind of updates to?
I would not think so. Your phone is not tied to the policies of the provider/carrier. But who knows the fix could be done in one of Googles many apps or all of them meaning that if you at least have one installed the patch will be included.
The patch is being done server side, meaning there is no update being pushed
Why did they fix it on the Nexus S with 2.3.4 if they could have just fixed it all at one time on their servers, weird.
I assume then that, whilst this was fixed in 2.3.4, 2.3.x isn’t required for it?
You are correct.
+1 interwebs for you sir.
We need to know how to tell if we got the update or not!!!
If it is going to be fixed on their servers then you probably aren’t going to need an update.
Like you actually knew “yourself” about the “security hole” to begin with “on your own” before it was reported to you?… lol
What.. no one’s mad that Google is telling what is right for us a la Steve Jobs?
Quite telling.
Why would anyone be mad that google is fixing a security loophole? Go away troll.
Short of wanting to take advantage of a security hole, t makes no sense that anyone would object to having one fixed.
We’re supposed to have a “choice” right?
Is that not you Android fanboys favorite word? Doesn’t seem like that’s the case here.
you’re right, Rhad. we should have the choice to be idiots and not patch a security hole. By someone caring enough to fix it this quickly and apply the patch for us (since many of us don’t even know of the issue), we should be angry.
Why, it’s EXACTLY the same as not having a choice to use USB, Flash and other evil non-iTechnologies out there!
You’re trolling right? All Google has done is changed to HTTPS for Contacts and Calendar on their own servers. You think we should be given a choice about this? Crazy.
@Rhad – You’re sorta right
Android = “Fanboys”
Apple = “Cult Fanbois”
HUUUUGE Difference, especially since we can “choose” how we want to use our phones (not even going into the “RF fail” of last year), and not how Jobs tells us how to…
You don’t get a choice with this update. To know that Google can change something without even asking you means they have the power to choose. Not you, you clueless imbecile.
If this was a problem with iDevices, Jobs would have told you that you were using the wifi wrong and disabled wifi capabilities. That being the difference.
Either that or he’d claim it was a feature not a bug
The update is something done server-side, so its not something that gets pushed to the phones. Like they said, you won’t even know it happened.
Google is one of the company whose security I can trust. But, they have left Android unprotected for some reason. I have a feeling Google was forced to make Android, rather than planned to make Android.
dude, Google bought Android…..
On so many levels… Ummmm No… *sigh* lol
Don’t blindly connect to unknown networks and the problem won’t apply to you in the first place. It’s great, and appropriate, that it’s being fixed, but it’s a wholly preventable situation.
Hf
Yeah, I’m glad they did something about this quickly. I wonder what difference is between the server-side fix and the solution that made the 2.3.4 update secure? Somebody should ask Google.
This probably involves a server-side redirect to force a change to the HTTPS protocol. It’s a much cleaner solution for the app to request the HTTPS URL directly. Both work but the 2.3.4 solution is optimal.
If Goog can do this, then we shouldn’t have to wait for a carrier to push out OS updates….especially if we have stock with no skin. Some of us aren’t too tech saavy and don’t want to run the risk of bricking our phones to update to a “new” version that’s been out for five frickin months. I don’t want to switch to an iphone…
If Goog can do this, then we shouldn’t have to wait for a carrier to push out OS updates….especially if we have stock with no skin. Some of us aren’t too tech saavy and don’t want to run the risk of bricking our phones to update to a “new” version that’s been out for five frickin months. I don’t want to switch to an iphone…
Well maybe if they push it out to cyanogen and others it would be patched even faster. Good luck waiting on Verizon to push anything.
Google isn’t doing anything like “pushing over-the-air updates to your phone with you none the wiser” to fix this thing. They are applying a server-side change to enforce https instead of http. Nothing is patched or fixed on the phones. Gizmodo writing out of their *ss. Don’t spread lies.