UPDATED: Google boosts privacy amidst Android leak worries
As it moves to fix Android data leaking issues, the tech giant adds trust accreditation to Marketplace Apps.
Yesterday, Google announced a TRUSTe administered data privacy certification programme for its Apps, designed to give customers confidence in the security of software on the market.
“TRUSTe has created a certification program for installable Marketplace apps to verify that they clearly communicate their data handling and privacy practices,” said Scott McMullan, Google Apps partner lead, in a blog post.
“This programme, which is optional for vendors, displays a green TRUSTe logo on a certified app’s Marketplace listing page as well as search results pages.”
Customers who click on the logo will go through to a summary with more information about the app.
Google has also moved to fix a vulnerability thought to affect the majority of Android phones.
German researchers Bastian Konings, Jens Nickels and Florian Schaub, from the University of Ulm, found login data to Google services could be leaked over unprotected Wi-Fi networks.
The problem stemmed from the way in which apps interact with Google services to request tokens. Tokens were seen being sent in plain text over open Wi-Fi networks, allowing eavesdroppers to pilfer them.
This could have allowed hackers to get hold of users’ calendar and contact data, or pictures via Picasa.
“This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user,” the researchers warned in a blog post.
They claimed 99.7 per cent of all Android smartphones were affected.
Google said it had fixed the issue in the latest versions of Android, including the current Gingerbread and Honeycomb OSs.
“We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa,” a Google spokesperson said.
Google Apps accounts were protected from the calendar and contacts vulnerability, however, as they send traffic over HTTPS.
UPDATE Google has sent over a new statement surrounding the Android flaw, saying an automatic fix would be rolled out soon.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson said.
"This fix requires no action from users and will roll out globally over the next few days."