German researchers have discovered that nearly all Android phones have an authentication flaw that could allow hackers to steal digital credentials over open wireless networks.

The credentials could be used to access calendar services, contacts and other apps researchers said. The problem is fixed in the latest version of Android, but 99.7 percent of all Android devices are running older versions.

Specially, the problem researchers at the University of Ulm in Germany say the problem is with authentication tokens that let Android phone users surf the Web without having to repeatedly enter account names and passwords.

It turns out the tokens are sometimes sent in plain text, which means that anyone looking in on an WiFi connection could collect and use them.

Note that this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS, they added.

Google confirmed the issue and recommends users upgrade to the latest software.

The incident is fresh on the heels of Google's last privacy spat in April where researchers found that Android based phones were sending location based data back to headquarters up to 1000 times a day.

Google, along with mobile phone rival Apple, testified before Congress on May 10 regarding their data privacy practices.

Both companies offered similar defenses, saying that they do not track user's exact location, but instead anonymous user statistics, including location information.