Google has issued a server-side fix for a WiFi security hole that exposed Android user details over open networks.
The patch will be pushed out to users automatically "over the next few days" according to Google.
The security hole affected the ClientLogin protocol in older versions of the operating system below 2.3.4, which are run by the majority of users.
The protocol sent authentication credentials for native apps over unsecured HTTP to be exchanged for an authentication token.
The token could be intercepted over unsecured wireless networks and used to access Google calendar and contacts.
Android used the same token for weeks, according to the German researchers who found the flaw.
The vulnerability was said to exist for Google's Picasa photo storage service, but the company had not confirmed the flaw or if a patch would be issued.