We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Android browser flaw exposes user data

Bug lets hacker access contents on SD card

A vulnerability in the Android browser could permit an attacker to steal the user's local data, according to security expert Thomas Cannon.

Specifically, a malicious website could use the flaw to access the contents of files stored on the device's SD card as well as "a limited range of other data and files stored on the phone", Cannon explained in a blog.

In essence, the problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he said.

A video included with Cannon's post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H website.

For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.

The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated. In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:

  • Disabling JavaScript in the browser.
  • Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.
  • Using a browser such as Opera Mobile, which prompts the user before downloading files.
  • Unmounting the SD card.

Though it is clearly a vulnerability that needs to be addressed, there is good news in Cannon's discovery as well.

First, "it is not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system," Cannon pointed out. Rather, it exposes only files on the SD card and "a limited number of others." System directories, in other words, remain protected. Second, "you have to know the name and path of the file you want to steal," he added.

In other words, Android's Linux roots serve to protect the user from anything more than local damage, and that damage is limited to files whose names and paths are predictable, such as pictures taken with the device's camera.

See also: Google Android apps get content ratings


IDG UK Sites

Microsoft Band UK release date and price rumours, features and specs: Microsoft smartwatch unveiled

IDG UK Sites

Why Sony's PS4 2.0 update is every gamer's dream (well, mine at least)

IDG UK Sites

This Grolsch ad combines stop-motion & CG for majestic results

IDG UK Sites

Apple rumours and predictions for 2015: What to expect from Apple in 2015