We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,696 News Articles

Android browser flaw exposes user data

Bug lets hacker access contents on SD card

A vulnerability in the Android browser could permit an attacker to steal the user's local data, according to security expert Thomas Cannon.

Specifically, a malicious website could use the flaw to access the contents of files stored on the device's SD card as well as "a limited range of other data and files stored on the phone", Cannon explained in a blog.

In essence, the problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he said.

A video included with Cannon's post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H website.

For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.

The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated. In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:

  • Disabling JavaScript in the browser.
  • Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.
  • Using a browser such as Opera Mobile, which prompts the user before downloading files.
  • Unmounting the SD card.

Though it is clearly a vulnerability that needs to be addressed, there is good news in Cannon's discovery as well.

First, "it is not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system," Cannon pointed out. Rather, it exposes only files on the SD card and "a limited number of others." System directories, in other words, remain protected. Second, "you have to know the name and path of the file you want to steal," he added.

In other words, Android's Linux roots serve to protect the user from anything more than local damage, and that damage is limited to files whose names and paths are predictable, such as pictures taken with the device's camera.

See also: Google Android apps get content ratings


IDG UK Sites

Motorola Moto G vs Nokia Lumia 530 comparison: What's the best budget smartphone

IDG UK Sites

Everything you need to know about Apple's iPhone Camera in iOS 8

IDG UK Sites

Why you shouldn't trust password managers

IDG UK Sites

How to make an 'Apple iWatch' using an iPod nano and a 3D printer