17. July, 2013
If you “Back up my data” is enabled on your Android phone, then Google keeps a clear-text, unencrypted copy of your WLAN passwords on its servers. Since Google is an US company, the government and its agencies have access to this data. Google also keeps a database with the location of all WLANs (for their location service) so it’s trivial for them to gain access (even though someone must physically walk/drive into the range of the WLAN router).
Solution: Disable this function, use a local backup program (disable cloud backup for them as well) and change all your passwords.
17. May, 2011
Would you tell your GMail password to a friend? Your colleagues in the office? Publish it on the Internet?
If the answer to any of these is “NO“, you should turn off automatic synchronization on your Android smartphone and never use it in open Wifi networks.
The reason is that Google uses something called a “token” to allow apps your smartphone to connect to Google services like your mail box, your calendar, etc. The token is like a key on your keychain: Anyone who has the key can open the door it fits. Unlike keys on your key chain, anyone who can pick a token out of the air knows where that door is!
Related article: Catching AuthTokens in the Wild