German Researchers at the University of Ulm have discovered a security loop hole in the Android platform. The issues is related to authentication where an attacker can collect and use the digital tokens saved on a phone after a user inputs credentials for a password-protected service.Apps usually transmit username and password to the server securely and the server returns an authentication token to be used so that the app doesn’t have to log in every time it makes a request. This token is the weak link as it is often transmitted insecurely. An attacker can easily steal one of these tokens by sniffing the unsecured public Wi-Fi network you use. And since the token is valid for up to two weeks, the attacker can go on and sync your contacts or calendar entries to a device of their own.
A patch has been released by Google to solve this issue; however it only works for Android 2.3.4 and Android 3.0. So this means that all devices with Android 2.3.3 and below are under authentication threats.
More research concluded that syncing contacts and calendar data is done insecurely prior to v2.3.3. Even the Gallery app uses the insecure method even in the latest smart phone version of Android.
