UPDATED: Google boosts privacy amidst Android leak worries


Google has added trust accreditation to Marketplace apps as it deals with claims that almost all Android phones leak user data.

Yesterday, Google announced a TRUSTe administered data privacy certification programme for its Apps, designed to give customers confidence in the security of software on the market.

"TRUSTe has created a certification program for installable Marketplace apps to verify that they clearly communicate their data handling and privacy practices," said Scott McMullan, Google Apps partner lead, in a blog post.

"This programme, which is optional for vendors, displays a green TRUSTe logo on a certified app's Marketplace listing page as well as search results pages."

Customers who click on the logo will go through to a summary with more information about the app.

Android issues

Google has also moved to fix a vulnerability thought to affect the majority of Android phones.

German researchers Bastian Konings, Jens Nickels and Florian Schaub, from the University of Ulm, found login data to Google services could be leaked over unprotected Wi-Fi networks.

The problem stemmed from the way in which apps interact with Google services to request tokens. Tokens were seen being sent in plain text over open Wi-Fi networks, allowing eavesdroppers to pilfer them.

This could have allowed hackers to get hold of users' calendar and contact data, or pictures via Picasa.

"This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user," the researchers warned in a blog post.

They claimed 99.7 per cent of all Android smartphones were affected.

Google said it had fixed the issue in the latest versions of Android, including the current Gingerbread and Honeycomb OSs.

"We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa," a Google spokesperson said.

Google Apps accounts were protected from the calendar and contacts vulnerability, however, as they send traffic over HTTPS.

UPDATE Google has sent over a new statement surrounding the Android flaw, saying an automatic fix would be rolled out soon.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson said.

"This fix requires no action from users and will roll out globally over the next few days."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.