Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Android browser vulnerability exposes user data

How to protect your Android smartphone from attacks

Article comments

A vulnerability in the Android browser could permit an attacker to steal the user's local data, according to a report yesterday from security expert Thomas Cannon.

Specifically, a malicious website could use the flaw to access the contents of files stored on the device's SD card as well as "a limited range of other data and files stored on the phone," Cannon explained.

In essence, the problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he noted.

A video included with Cannon's post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H.

For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.

Protective Measures

The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated.

In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:

* Disabling JavaScript in the browser.

* Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.

* Using a browser such as Opera Mobile, which prompts the user before downloading files.

* Unmounting the SD card.

The Android Advantage

Though it is clearly a vulnerability that needs to be addressed, there is good news in Cannon's discovery as well.

First, "it is not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system," Cannon pointed out. Rather, it exposes only files on the SD card and "a limited number of others." System directories, in other words, remain protected.

Second, "you have to know the name and path of the file you want to steal," he added.

In other words, Android's Linux roots serve to protect the user from anything more than local damage, and that damage is limited to files whose names and paths are predictable, such as pictures taken with the device's camera.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *