A vulnerability in the Android browser could permit an attacker to steal the user’s local data, according to a report yesterday from security expert Thomas Cannon.
Specifically, a malicious website could use the flaw to access the contents of files stored on the device’s SD card as well as “a limited range of other data and files stored on the phone,” Cannon explained.
In essence, the problem arises because the Android browser doesn’t prompt the user when downloading a file. “This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort,” he noted.
A video included with Cannon’s post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H.
For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.
Protective Measures
The Android Security Team responded within 20 minutes of Cannon’s notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated.
In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:
- Disabling JavaScript in the browser
- Watching for suspicious automatic downloads, which should be flagged in the notification area. “It shouldn’t happen completely silently,” Cannon notes
- Using a browser such as Opera Mobile, which prompts the user before downloading files
- Unmounting the SD card
Subscribers 0
Fans 0
Followers 0
Followers