More than 99 percent of smartphones running Google's Android mobile OS are potentially leaking personal data, say security researchers.

According to Bastian Konings, Jens Nickels and Florian Schaub from the University of Ulm, the data leak arises in the way the mobile OS handles log-ins for web-based services.

A number of apps in the OS require an authentication token from Google services, such as the search engine's Calendar function, when opened. The token means users don't need to keep logging-in to the service for a specific period of time. However these tokens are being issued over Wi-Fi networks, which means cybercriminals monitoring the network would be able to spot them instantly and subsequently fraudulently gain access to the Google services themselves.

"The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing," the researchers said in a blog.

"For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business."

It is not thought the flaw, which applies to all versions of the OS except 2.3.4 and verion 3.0 that is also known as Honeycomb and is designed for tablet PCs, is being exploited yet. However, the researchers urged Android owners to update their software to version 2.3.4 of the OS immediately, if possible.

Furthermore, users should switch off automatic synchronisation in the settings menu when connecting with open Wi-fi networks, while also ensuring the device 'forgets' any open networks previously used and open networks are not used to connect to the net until the flaw has been fixed.

The researchers also suggested Google should reduce the lifetime of the authorisation token while rejecting anything other than HTTPS connection.

Google has not yet commented on the vulnerability.

Ron Gula, CEO of Tenable Network security, said placing important data on a mobile device where it's easy to lose, steal, or rootkit offers the same problem as uncontrolled laptops, only worse.

"This is the case regardless of the mobile platform. With all mobile devices we have a situation where information is everywhere, getting auto-synched, distributed, cached, and downloaded – along with applications being downloaded on to them by the metric jillion, written by who knows who. The technology is often new and rapidly changing, so the potential for spyware is huge and all smart devices will continue to be a constant security concern now and in the future.

"Smart devices entering the workplace represent a combination of opportunity and threat; so organisations must understand the bigger picture of where information rests and flows within the network. The IT network management environment is only going to become more complex and challenging, both internally and externally – so businesses must ensure that they can see what's happening at every moment before something happens that they weren't expecting."