Last Friday, German researchers from Ulm University found a flaw in the Android platform for versions 2.3.3 and earlier that made it possible for a hacker to access and edit a user’s Google contacts and calendar on open WiFi networks.
About 99.7 percent of Android users were still running earlier versions of the platform, the researchers said.
For users running these earlier versions, the services use an unencrypted http connection to request an authentication token from Google. In later versions of Android, the services use a secure https connection to request an authentication token from Google.
The company issued a statement Wednesday saying, "Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."
Researchers also found that synchronization with Picasa, Google’s photo album service, is not encrypted. Google is still investigating this issue.