Android vulnerability permits data theft
Security expert Thomas Cannon has discovered a security vulnerability in the Android browser which can be exploited by attackers to read local files when a smartphone user visits a crafted web site. The vulnerability appears to affect all versions of Android, including the current version 2.2 (Froyo). Our colleagues at heise Security have been able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2. Cannon reports that he has verified the vulnerability on an HTC Desire (2.2) and on the Android emulator (1.5, 1.6 and 2.2) in the SDK.
Because the browser runs in a sandbox, the vulnerability can only be used to access user data and cannot be used to access system directories. An attacker would also need to know the path for any file they wished to access. One suitable target might be photographs taken using the smartphone, which are saved with sequential numbers, or consistently named application files, some of which – online banking apps for example – can also contain confidential data.
Cannon alerted Google to the vulnerability, and less than 20 minutes later Google responded, informing him that it was looking into the problem. Shortly thereafter, following a request from Google, he removed most of the details of the exploit from his web site. Google has now got to the bottom of the problem and is working on a patch, which is currently undergoing evaluation. This will not, however, find its way into Android 2.3 (Gingerbread), the release of which is imminent. It is instead expected to be included in a future update and it could be some time before it finds its way onto many users' phones. This is Cannon's justification for having gone public with the problem.
- Android holes allow secret installation of apps, a report from The H.
- Back door exploit for Android phones, a report from The H.
- Security firm reportedly discovered 88 critical holes in Android, a report from The H.