Security Researcher Thomas Cannon has uncovered a flaw in the default Android browser that could potentially allow a malicious web site to nab data from your SD card.
Well, it turns out that the exploit may not be quite as bad as it seems. More details after the jump.
The first thing to be aware of is that the malicious web site must know the exact file name, including the directory name, of the file that it's after. In other words, it can't just start uploading random files.
According to Cannon, the Android Security team responded about 20 minutes after he first notified them of the issue. They stated that a fix for this flaw will be included in to a Gingerbread (aka Android 2.3) maintenance release after that Android version is released.
Unfortunately, this highlights what I consider to be one of the major issues with the Android platform. Here is a clear security issue, but Google isn't fixing it until the next version of the OS is released. Anyone want to guess when their specific phone will receive Gingerbread? Care to wager any money on your guess? I seriously doubt it because no one knows for sure, and based on past performance, the carriers tend to take their own sweet time releasing new OS versions for devices. At that, carriers also don't commit to upgraded all of the devices they market.
Google: you must get a handle on a way to publish security patches for Android that bypasses the carriers, or at a minimum forces them to release updates in a timely manner. As users lives become more and more smartphone centric, security is of enormous concern. Right now, you're acting the way Microsoft did several years ago when their approach to security was garbed in apathy and disinterest.
In the mean time, here are some steps you can take to mitigate the potential effects of this flaw:
- Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.
- Using a browser such as Opera Mobile, which prompts the user before downloading files.
- Unmounting the SD card.
Below is a video from Cannon that shows the exploit in action.
Source: PC World