“You don't have to have a specialist to do this, it is well-documented by Google. The attacks are very simple,” Bastian Könings, who works at Ulm University, told Der Spiegel.
All the contacts, diary dates and even photos contained on a hacked phone can easily be looked at and even altered – and not only for the period of time the hacker and the hacked are on the same network, he said.
A potential hacker has only to use Google's interface for external developers, he said. All that is necessary is to log onto a public wireless internet connection such as those found in cafes, airports or hotels.
This gives access to all android mobiles logged onto the same connection. The hacker can catch anything being floated over the Google cloud services, including the ‘tokens' – authentication data. These remain unchanged for up to two weeks, said Könings, and grant continuing access to a phone even when the public internet session is over.
Business competitors could use such information, just as stalkers could, and even criminals who want to know when someone is definitely going to be away from home.
"We know about this and have been able to solve it in the latest Android versions for calendar and contacts and are working on solving it for Picasa too," a Google spokesman said.
Könings said he had told the company of his findings a while ago but had not received much reaction.