Android browser flaw exposes user data

Potential harm is limited, however, by a few basic Android features. Here's how to protect your Android smartphone.

A vulnerability in the Android browser could permit an attacker to steal the user's local data, according to a report yesterday from security expert, Thomas Cannon.

Specifically, a malicious Website could use the flaw to access the contents of files stored on the device's SD card as well as "a limited range of other data and files stored on the phone," Cannon explained.

In essence, the problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he noted.

A video included with Cannon's post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H.

For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.

Protective Measures

The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated.

In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:

* Disabling JavaScript in the browser.

* Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.

* Using a browser such as Opera Mobile, which prompts the user before downloading files.

* Unmounting the SD card.

The Android Advantage

Though it is clearly a vulnerability that needs to be addressed, there is good news in Cannon's discovery as well.

First, "it is not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system," Cannon pointed out. Rather, it exposes only files on the SD card and "a limited number of others." System directories, in other words, remain protected.

Second, "you have to know the name and path of the file you want to steal," he added.

In other words, Android's Linux roots serve to protect the user from anything more than local damage, and that damage is limited to files whose names and paths are predictable, such as pictures taken with the device's camera.

Follow Katherine Noyes on Twitter: @Noyesk.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags open sourcebrowsersGooglesoftwareapplicationsPhonesconsumer electronicsCell Phonesonline securitybrowser security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Katherine Noyes

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?