More than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online. The data being leaked is typically used to get at web-based services such as Google Calendar. The discovery was made by German security researchers looking at how Android phones handle identification information. Google has yet to comment on the loophole uncovered by the researchers. University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub made their discovery while watching how Android phones handle login credentials for web-based services. Many applications installed on Android phones interact with Google services by asking for an authentication token - essentially a digital ID card for that app. Once issued the token removes the need to keep logging in to a service for a given length of time. Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot so criminals eavesdropping on the wi-fi traffic would be able to find and steal them, suggest the researchers. Armed with the token, criminals would be able to pose as a particular user and get at their personal information. Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere. BBC