Android Enthusiast
Jan 16, 2011
Today it was announced that Google will be pushing out a security patch for Android 2.2 and below phones. Will this "play nice" with rooted phones or will there be conflict? Apparently the patch will be sent without action on part of the recipient.


Thanks in advance!
According to this Computer World story, the fix will be applied on the server end - not rolled out to handsets. Which makes sense - no having to wait for carriers to have to vet things and approve it and roll it out, finally, six months from now.

Google declined to specify how it's addressing the problem, but the German researchers had posed several ways the search giant could plug the security hole.

Among them, Google could modify its services to "reject ClientLogin-based requests from insecure HTTP connections to enforce use of HTTPS," said the researchers, referring to the encrypted data transmission used by online retailers. "HTTPS is already required for the Google Docs API und will be required for Google Spreadsheet and Google Sites APIs in September 2011. It should be mandatory for all of Google's data APIs."
Lookout's Mahaffey suspects that that is exactly the route Google is taking.

"I haven't seen exactly what they're doing," said Mahaffey, "so I can't speculate much, but one solution would be to make it so that authentication tokens aren't sent in the clear anymore."

Paquette assumed the same.

"My guess is that the ClientLogin Protocol had an option that allowed clear text over HTTP, and that Google disabled that on its end by having it say, 'Our end is always going to say "No" to that.' When that happens, the client will decide to send the authentication request encrypted."

While Google could have applied the same fix to the client side -- to each Android phone running an older version of the operating system -- the faster solution was to do it on the server side, Paquette said.
well to me it sounds like a good thing. I am rooted and love it but for me the security is top priory. I am stoked that Google is addressing this