Tweet

For additional social sharing options, click the Share Article link below

Security Researcher Thomas Cannon has uncovered a flaw in the default Android browser that could potentially allow a malicious web site to nab data from your SD card. 

The security flaw is centered around the fact that the default Android browser doesn't prompt you requesting permission to download a file.  When an unsuspecting user clicks a malicious link from within the browser, some JavaScript code gets executed which can then grab a file from your SD card and upload it back to the web site.  Sounds pretty scary, right?

Well, it turns out that the exploit may not be quite as bad as it seems.  More details after the jump.

The first thing to be aware of is that the malicious web site must know the exact file name, including the directory name, of the file that it's after.  In other words, it can't just start uploading random files.  

Secondly, the JavaScript only has access to the SD card and a limited number of other areas.  System directories remain protected.  This is because the Linux operating system upon which Android is built has inherit security measures that prevent access to sensitive storage areas by apps, including the browser.

According to Cannon, the Android Security team responded about 20 minutes after he first notified them of the issue.  They stated that a fix for this flaw will be included in to a Gingerbread (aka Android 2.3) maintenance release after that Android version is released.

Unfortunately, this highlights what I consider to be one of the major issues with the Android platform.  Here is a clear security issue, but Google isn't fixing it until the next version of the OS is released.  Anyone want to guess when their specific phone will receive Gingerbread?  Care to wager any money on your guess?  I seriously doubt it because no one knows for sure, and based on past performance, the carriers tend to take their own sweet time releasing new OS versions for devices.  At that, carriers also don't commit to upgraded all of the devices they market.

Google: you must get a handle on a way to publish security patches for Android that bypasses the carriers, or at a minimum forces them to release updates in a timely manner.  As users lives become more and more smartphone centric, security is of enormous concern.  Right now, you're acting the way Microsoft did several years ago when their approach to security was garbed in apathy and disinterest.

In the mean time, here are some steps you can take to mitigate the potential effects of this flaw:

Disabling JavaScript in the browser.

Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.

Using a browser such as Opera Mobile, which prompts the user before downloading files.

Unmounting the SD card.

Below is a video from Cannon that shows the exploit in action.

Source: PC World