Most, if not all Android users are aware of the "gaping" security hole that "99% of Android phones [were] vulnerable to" earlier this year, but do they really know what it was all about? This security issue that everybody was worrying about, an issue that allowed hackers to impersonate legitimate users on certain websites, was only vulnerable to attack on an open wifi network, required someone with decent knowledge of inner workings of networks to use a packet sniffer such as Wireshark to find authTokens (usually a string of seemingly random numbers and letters Android uses in place of a password over the internet) in network traffic and then send it to the vulnerable site, i.e. Google Calendar, Contacts and/or Gallery to authenticate and gain access illegitimately to the profile of the user in question.
This article contains some information disqualifying some of the claims that news organizations made regarding this issue:
http://www.zdnet.com/blog/burnette/the-truth-about-the-latest-google-android-security-scare-updated/2270
Impersonation attacks are not new, there are a decent number of ways one user can impersonate another, for instance the simplest example would be forgetting to log out of your email or checking the "stay signed in" checkbox on a public computer could leave you S.O.L. while another person gets away with your email and all the personal information contained within (which is why I only install Firefox on public computers and set it not to save history or passwords, etc)(note this is a client-side vulnerability). Another type of impersonation attack involves websites asking for personal information when the site is not secure, this being a server-side vulnerability, which can lead to password theft, or, depending on the site in question, identity theft. An easy way to tell is if the site in question is secure or not is if it has the padlock in the corner or 'https://' (emphasis on the 's') before the URL, it probably is a secure site.
In this case, it was (mostly) a server-side vulnerability that caused vulnerabilities in the aforementioned apps. It comes down to an issue in the security of authToken, Google and others recommending developers to always use SSL/TLS encryption (HTTPS) when sending login information, and to try to avoid using authToken, suggesting to use oAuth instead.
More information can be found here:
http://www.readwriteweb.com/archives/android_security_hole_a_problem_for_99_of_users_re.php
The original article from register.co.uk about this topic is located here:
http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/
Google has already rolled out the fixes to this vulnerability, these fixes do not require user interaction were rolled out globally, and should already be in place protecting peoples information; however, note that there are still ways of getting in, so, just a friendly reminder, keep your information, particularly passwords, in a safe place (or better yet, in your head) and never give them out to anybody; keep your wits about you when it comes to network and internet traffic, and try to stay safe.
