Feeds

Android flaw poses drive-by data slurp risk

There's no patch for it, so users should take care

Next gen security for virtualised datacentres

A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.

Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow malicious websites to snatch the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.

The weakness arises because of a combination of factors that mean that when a file from a content provider is opened, the built-in Android browser will run JavaScript without prompting the user.

JavaScript running in the context of a content provider can use xmlhttp (ie AJAX) requests to slurp up the contents of files (and other data). Redirects can then be used to post the data back to a malicious website.

"I came across the vulnerability while doing some independent security research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers," Cannon explained. "I was surprised that an HTML page with JavaScript could query the content providers and realised that this could be triggered by a malicious site."

Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.

"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.

Cannon suggests that Android users should either disable JavaScript or use an alternative browser - such as Opera - to mitigate against the risk of attacks pending a more comprehensive fix from Google. Another means of mitigating the vulnerability would be to use a potentially vulnerable handset without an SD card.

In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.

We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.

Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.