Drive-by exploit slurps sensitive data from Android phones
Et tu, Gingerbread?
Agentless Backup is Not a Myth
A computer scientist has found a vulnerability in the latest version of Google's Android operating system that can be exploited to disclose sensitive user information.
The data-stealing bug in Android 2.3, aka Gingerbread, allows attackers read and upload pictures, voicemail and other data stored on a handset's SD memory card, Xuxian Jiang, assistant professor in North Carolina State University's department of computer science, reported here. The vulnerability, which is exploited when a user clicks on a booby-trapped link, also allows attackers to upload phone applications to a remote server.
He said proof-of-concept code successfully carries out the attack on a stock Nexus S phone, which comes with Gingerbread installed. It's not clear if the attack works on other brands that also run the latest OS.
“We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone,” a Google spokesman wrote in an email. “We're in communication with our partners.”
The fix will ship in an upcoming 2.3 maintenance release, Google said.
The information-disclosure threat is similar to one disclosed in November in Android 2.2 by researcher Thomas Cannon. Both vulnerabilities disclose data only when an attacker knows the precise name and path of a file stored on an SD card. The exploit can't break out of the security sandbox, so system data and email, SMS messages and files stored on the phone itself remain off limits.
Work arounds until a fix is available include, disabling Javascript in the Android browser, using an alternate browser or removing the SD card. ®
COMMENTS
Fragmentation means customers on their own
Android fragmentation, the unwillingness of the vendors to update their Android-based kit regularly will mean your data will not be safe on Android ... especially since you have to download a program that only runs on Windows (AFAIK, could not find Mac equivalent - Linux?) to update SE's Android kit.
Have an updater app on the phone. Have themes. Vendors should be forced to support updates for two years at least ... and SLA for "by when" a new version "must" be on the phone.
They need to get their act together!
Re: Agree to an extent
"I can understand a delay while the handset manufacturer does testing. But it took O2 an extra 5 months to release 2.2 after it had been made available by HTC for the Desire."
Which is simply because that's not yet a competitive factor when most people make their purchasing decisions.
If enough of us factor that in when purchasing, then they will release the updates faster. They shouldn't be 'forced' to act faster, they should realise it's in their commercial interests to do so.
RE Hans
Errr... no need for an update app as it is built into the OS. No you don't have to download a windows app as both apps from the markey place and OS upgrades can be done OTA.
I do agree that vendors should be forced to provide updates for at least 2 years - Motorola are seriously getting on my nerves now with the delay deploying Froyo to the Milestone. I will never buy a Motorola product again, but I will buy another Android phone. This is something us non-fruity obsessed people like to call choice.
Much better than one phone to rule them all.
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
