Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a company spokesman wrote in an email. "This fix requires no action from users and will roll out globally over the next few days."

The server-side fix addresses an implementation error in earlier versions of Android, which is used by more than 99 percent of those using the mobile operating system, according to Google figures. Versions 2.3.3 and earlier failed to transmit authentication tokens over an encrypted channels.

Attackers monitoring Wi-Fi hotspots and other open networks could exploit the weakness by copying the so-called authTokens and using them to gain unauthorized access to users' Google Calendars and Contacts.

The vulnerability could also cause devices synchronizing with Google Picasa web albums to transmit sensitive data through unencrypted channels, academic researchers from Germany's University of Ulm said.

The Google spokesman said the company's security team is still investigating those claims.

The fix forces Google servers to use an encrypted https connection when phones sync with Calendar and Contacts. ®

Related stories

• Android bug lets attackers install malware without warning (20 September 2011)

  https://www.theregister.com/2011/09/20/google_android_vulnerability_patching/

• Want to keep Android apps from spying on you? (22 June 2011)

  https://www.theregister.com/2011/06/22/android_privacy_app/

• Toxic Plankton feeds on Android Market for two months (13 June 2011)

  https://www.theregister.com/2011/06/13/android_market_still_insecure/

• Admin: Gmail phishers stalked victims for months (3 June 2011)

  https://www.theregister.com/2011/06/03/gmail_users_stalked_for_months/

• Spear phishers target gov, military officials' Gmail accounts (2 June 2011)

  https://www.theregister.com/2011/06/02/gmail_spear_phishing_exposed/

• Malware from Google Market menaces Android users (31 May 2011)

  https://www.theregister.com/2011/05/31/android_market_malware/

• Google Chrome OS: Too secure to need security? (27 May 2011)

  https://www.theregister.com/2011/05/27/google_chrome_os_security/

• Google Web Store quietly purged of nosy apps (26 May 2011)

  https://www.theregister.com/2011/05/26/google_web_store_privacy_threats/

• 35m Google Profiles dumped into private database (25 May 2011)

  https://www.theregister.com/2011/05/25/google_profiles_database_dump/

• 99% of Android phones leak secret account credentials (16 May 2011)

  https://www.theregister.com/2011/05/16/android_impersonation_attacks/

• Apple and Google wriggle on US Senate hot seat (11 May 2011)

  https://www.theregister.com/2011/05/11/us_senate_hearing/

• Want an untracked Android? Here’s how (5 May 2011)

  https://www.theregister.com/2011/05/05/marlinspike_kills_android_tracking/

• Google sued over – yes – Android location tracking (28 April 2011)

  https://www.theregister.com/2011/04/28/google_sued_over_android_location_tracking/

• Skype for Android is vulnerable (15 April 2011)

  https://www.theregister.com/2011/04/15/skype_for_android_vulnerable/

• Hacker kills his own Pwn2Own bug for Android phones (7 March 2011)

  https://www.theregister.com/2011/03/07/android_pwn2own_bug_killed/

• Android malware attacks show perils of Google openness (4 March 2011)

  https://www.theregister.com/2011/03/04/google_android_market_peril/

• Tainted apps worm into official Android store (2 March 2011)

  https://www.theregister.com/2011/03/02/android_malware/

• Security shocker: Android apps send private data in clear (24 February 2011)

  https://www.theregister.com/2011/02/24/android_phone_privacy_shocker/