Feeds

Android flaw poses drive-by data slurp risk

There's no patch for it, so users should take care

Securing Web Applications Made Simple and Scalable

A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.

Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow malicious websites to snatch the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.

The weakness arises because of a combination of factors that mean that when a file from a content provider is opened, the built-in Android browser will run JavaScript without prompting the user.

JavaScript running in the context of a content provider can use xmlhttp (ie AJAX) requests to slurp up the contents of files (and other data). Redirects can then be used to post the data back to a malicious website.

"I came across the vulnerability while doing some independent security research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers," Cannon explained. "I was surprised that an HTML page with JavaScript could query the content providers and realised that this could be triggered by a malicious site."

Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.

"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.

Cannon suggests that Android users should either disable JavaScript or use an alternative browser - such as Opera - to mitigate against the risk of attacks pending a more comprehensive fix from Google. Another means of mitigating the vulnerability would be to use a potentially vulnerable handset without an SD card.

In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.

We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.

Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.