More than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.
The data being leaked is typically used to get at web-based services such as Google Calendar.
The discovery was made by German security researchers looking at how Android phones handle identification information.
Google has yet to comment on the loophole uncovered by the team.
ID attack
University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub made their discovery while watching how Android phones handle login credentials for web-based services.
Many applications installed on Android phones interact with Google services by asking for an authentication token - essentially a digital ID card for that app. Once issued the token removes the need to keep logging in to a service for a given length of time.
Sometimes, the study says, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot so criminals eavesdropping on the wi-fi traffic would be able to find and steal them, suggest the researchers.
Armed with the token, criminals would be able to pose as a particular user and get at their personal information.
Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.
"[T]he adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," the researchers wrote in a blog post explaining their findings.
Abuse of the loophole might mean some people lose data but other changes may be harder to spot.
"...an adversary could change the stored e-mail address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business," the team speculated.
There is no suggestion that attackers are exploiting the Android loophole at the moment.
Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software.
Some Google services, such as image sharing site Picasa, are still using unencrypted authentication tokens that can be stolen, found the team.
They urged Android phone owners to update their device to avoid falling victim to attacks via the loophole. Google is also known to be working with operators and handset makers to get updates to people faster than at present.
