Rice University professor Dan Wallach wrote a blog post in February that discussed the threat that network eavesdropping poses to Android users. Several applications, including the platform's native Google Calendar software, don't use SSL encryption to protect their network traffic. Wallach speculated that the calendar software could be susceptible to an impersonation attack.

Researchers at the University of Ulm followed up on Wallach's findings and devised a proof-of-concept attack to demonstrate the vulnerability. Several of Google's applications use the ClientLogin authentication system but fail to use SSL to encrypt their communication with Google's servers, making them susceptible to eavesdropping attacks.

ClientLogin is designed to allow applications to trade a user's credentials for an authentication token that identifies the user to the service. If the token is passed to the server in an unencrypted request, it could potentially be intercepted and used by the attacker.

The authentication tokens remain valid for two weeks, during which time the attacker has relatively broad access to the user's account in a specific Google service. The researchers found that Android's calendar sync, contact sync, and Picasa sync are all susceptible.

Although the bug has already been fixed (for calendar and contact sync, but not Picasa) in Android 2.3.4—the latest version of the operating system—the vast majority of mobile carriers and handset manufacturers haven't issued the update yet. According to Google's own statistics, this means that 99.7 percent of the Android user population is still susceptible to the vulnerability.

This reflects the need for better update practices among Android hardware vendors. During a keynote presentation at the recent Google I/O event, product manager Hugo Barra acknowledged the problematic nature of the Android update process and told developers that an effort to address the issue is in the works. At a press briefing following the keynote, Google's Andy Rubin offered some additional details.

There is no actual plan in place at this time, but a number of Google's largest handset and carrier partners have formed a working group to begin setting the guidelines for a new update initiative. The participants intend to guarantee the availability of regular updates for a period of 18 months on new handsets. They could also potentially define some boundaries to reduce the gap between when a new version of Android is released and when it is deployed over the air.

Although the initiative is still at a very early stage and the policies it formulates will be entirely voluntary, it already has preliminary buy-in from enough prominent Android stakeholders to make it credible. The leading Android handset manufacturers and all four of the major US carriers are currently involved.

If the group can build consensus around a reasonable set of update policies, it would be a big win for Android adopters. It would ensure that security issues like the ClientLogin bug can be remedied in a timely manner. Another positive side effect is that it would help diminish the uncertainty about product lifespan that frustrates many Android end users. The fact that so many Android users are still at risk from a vulnerability that has already been fixed is a telling sign of the need for faster updates.

Update: following widespread reports of this issue, Google has come up with a way to mitigate the issue on the server side. The fix will reportedly be rolling out soon.