Search engine has started patch roll-out
Yesterday, researchers from the University of Ulm highlighted the data leak, which is caused by the way the mobile OS handles log-ins for web-based services.
A number of apps in the OS require an authentication token from Google services, such as the search engine's Calendar function, when opened. The token means users don't need to keep logging-in to the service for a specific period of time. However these tokens are being issued over Wi-Fi networks, so cybercriminals monitoring the network would be able to spot them instantly and subsequently fraudulently gain access to the Google services themselves.
It is not thought the flaw, which applies to all versions of the OS except 2.3.4 and version 3.0 that is also known as Honeycomb and is designed for tablet PCs, is being exploited yet. However, Google still plans to distribute a patch.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third-party access to data available in calendar and contacts," Google said.
"This fix requires no action from users and will roll out globally over the next few days."