Google (NSDQ: GOOG) has figured out a way to patch the Android security flaw disclosed earlier this week without having to cajole its carrier and handset partners into rushing the latest version of Android to handsets or force users to download something on their own.
A Google representative confirmed Wednesday that the flaw will be patched silently, without Android users receiving a notification of an over-the-air update, which is the usual way that new Android versions are pushed to handsets. Security researchers in Germany have discovered that when Android phones running anything but the latest version of the software connect to a Wi-Fi hotspot administered by a malicious attacker, login information for contacts, calendar appointments, and Picasa accounts can be intercepted and read by that attacker.
The problem is that while Google fixed this issue in Android 2.3.4, only a tiny sliver of Android handsets in the wild are running that latest version. Android partners serve as gatekeepers between Google and end users when new operating system versions are released in order to test how their unique Android implementations will mesh with the new software, and as a result it often takes months for new software to hit the installed base.
Nothing has changed in that regard with the fix rolling out this week: Android users aren’t getting the new software, they’re just getting a patch that fixes the issue for contacts and calendars (neither Android 2.3.4 nor this week’s patch address the Picasa issue). But it underscores the need for Google and its partners to figure out a better way to get new software on Android handsets, and discussions to that effect are under way.