Gingerbread Flaw Could Expose Apps, microSD Content


What’s the difference between a “security researcher” and a “hacker”?

Someone has discovered a way to steal data from the microsd card in your Android through a vulnerability in the Browser app. The someone in question is Xuxian Jiang, an assistant professor at North Carolina State University. Lucky for us, he’s one of the good guys — not a “hacker” in the malicious sense of the word.

While working on an Android-related project he discovered a flaw in the Android 2.3 browser. Ironically, a similar bug was recently found — and fixed — in the Android 2.2 browser. The exploit apparently isn’t very hard to implement, but it does require some detailed knowledge of JavaScript and Android.

“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone. The attack works by requiring the user to visit a malicious link.”

Essentially, a user would follow a link to a malicious website where an attacker could not only list all applications installed on the user’s device, they could also upload any apps located in the /system and /sdcard locations to a remote server.

It’s not just apps. The attacker could also upload any files stored on the phone’s sdcard — as long as they know the exact file name and directory path.

Google has reportedly contacted Jiang and have already developed a fix which will be deployed in an forthcoming update

If you’re running Android 2.3 and want to avoid the problem until the patch comes out you can temporarily disable JavaScript in the browser, or even use another browser like Dolphin or Skyfire.

Source: eWEEK

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Joe Levi
Joe graduated from Weber State University with two degrees in Information Systems and Technologies. He has carried mobile devices with him for more than a decade, including Apple's Newton, Microsoft's Handheld and Palm Sized PCs, and is Pocketnow's "Android Guy". By day you'll find Joe coding web pages, tweaking for SEO, and leveraging social media to spread the word. By night you'll probably find him writing technology and "prepping" articles, as well as shooting video. Read more about Joe Levi here.