Update, Wednesday at 11:45 a.m. PT: Google has issued a fix that forces the affected Google apps to connect via the secure protocol HTTPS. As long as you update your apps when the fix is pushed out, this public Wi-Fi vulnerability won't affect you. Until then, it's best to use public Wi-Fi with extreme caution or follow the instructions below.
Android phones and tablets running version 2.3.3 and earlier suffer from a calendar and contact information vulnerability on public Wi-Fi networks, according to a new report. However, there are some concrete steps you can take to protect yourself.
Here's how it works. The vulnerability is in the ClientLogin Protocol API, which streamlines how the Google app talks to Google's servers. Applications request access by sending an account name and password via secure connection, and the access is valid for up to two weeks. If the authentication is sent over unencrypted HTTP, an attacker could use network-sniffing software to steal it over a legitimate public network, or spoof the network entirely using a public network with a common name, such as "airport" or "library." While this won't work in Android 2.3.4 or above, including Honeycomb 3.0, that only covers 1 percent of in-use devices.
Of course, the safest solution is to avoid using public, unencrypted Wi-Fi networks by switching to mobile 3G and 4G networks whenever possible. But that's not always an option, especially for Wi-Fi-only tablet owners or those on tight data plans. … Read more