With cyber hacking activity on the rise, researchers couldn’t have picked a worse time to reveal a new security vulnerability that could affect over 99 million Google (Nasdaq: GOOG) subscribers.
The story began back in February, when a Rice University professor blogged about a potential security threat originating in Google’s authentication system, ClientLogin.
This system allows certain Google apps to sign you in and out of Google’s servers with authorization tokens instead of a username and password.
Technically, this method is more secure, since your login data isn’t being sent over a network every time you sign in.
Problem is, when the information travels over an unencrypted network like, say, a Starbucks (Nasdaq: SBUX) Wi-Fi hotspot, then cyber hackers could easily hijack the token.
Researchers at the University of Ulm in Germany recently confirmed the vulnerability: “We wanted to know if it is really possible to launch an impersonation attack against Google services, so we started our own analysis. The short answer is: Yes, it’s possible and it’s quite easy to do so.”
Perhaps most troubling, hackers have plenty of time to use the login tool to access your Google accounts because the tokens remain valid for two weeks.
So what is Google doing about this major problem?
Google Has a Download Problem
The good news? Google’s latest software release (2.3.4) protects against such intrusions.
The bad news? 99.7% of Android’s 100 million phone owners still haven’t received the update.
That’s because updating your Android phone isn’t just a case of simply downloading the latest release from Google. If you don’t have a stock Android phone like the Nexus One, it can take months to get the new software.
Why? Because some phone makers and carriers like to include their own customizations to the open platform. As ZDNet says, “All the original equipment manufacturers (OEMs), like Motorola (NYSE: MMI) and HTC, put their own software… on top of Android. Then, all the carriers add their own special sauce of applications. It can get messy.”
The situation has caused fragmentation in the Android market, with a total of seven different versions of the OS in the market right now.
And since each OS release requires application updates, it isn’t just a security concern. It’s a developer issue, too. Tack on several processor speeds and screen sizes across multiple devices, and it’s no wonder that 87% of Android app developers see fragmentation as a problem.
In response, Google is currently working on a quick fix for the security leak that “will roll out globally over the next few days.”
But better yet, it’s taking major steps to make sure everybody gets on the same page…
Would You Like to See Google’s Dessert Menu?
At Google’s I/O developer conference last week, it unveiled its next major OS update – the “Ice Cream Sandwich.”
And just like the ones you find in the freezer section, it’s a full-fat, sugar-stuffed monster that promises to satisfy your craving.
You see, unlike other updates that simply increase functionality and security, Ice Cream Sandwich promises to unify all Android devices, tablets and smartphones alike. Much like how Apple’s (Nasdaq: AAPL) iOS works with the iPhone, iPod touch and iPad.
As CNET says, this allows “developers to create apps once, and then those apps will be able to operate on different devices with different screen sizes and different capabilities. The OS will essentially be smart enough to figure out which type of device the app is running on and then adjust parameters.”
Pretty neat. And to top it off, Google also plans to work closely with phone manufacturers and wireless carriers in order to guarantee that Android users receive important system upgrades (and security updates) as soon as possible.
Ice Cream Sandwich is set to debut sometime during the fourth quarter. So we won’t see how well that plan materializes until then.
But any effort to mitigate Android’s fragmentation problem can only accelerate the platform’s growth.
P.S. Google’s rush to fix this major security flaw is understandable, given the recent wave of cyber attacks. For example…
- Last month, hackers infiltrated Sony’s (NYSE: SNE) PlayStation Network and online entertainment platform. It compromised the personal and credit card information of over 100 million people.
- On Monday, Forbes reported that Square Enix, the company behind the popular Final Fantasy video game series, was breached, too, along with the email addresses of up to 25,000 customers.
- Just this week, Heroku, a cloud-computing platform acquired by Salesforce.com (NYSE: CRM), crashed briefly, due to a cyber attack.