Internet security flaw discovered in Android operating system
November 24, 2010
A new but very serious security vulnerability in the built-in browser of Android smartphones has just been discovered that could allow hackers and Internet attackers to access private data from SD cards in Google smart phones and MIDs (mobile Internet devices).
Additionally, it would also be possible to retrieve a limited range of other private information and specific files stored on the Android phone using this vulnerability.
Redirects can then be used to post the data back to a malicious website.
Cannon has gone public ahead of a update to the Android OS he says will be necessary to fix the problem in order to warn other users of the security risk. He was very keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.
"Google's response so far has been excellent. I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However, in this case, I don't believe they will be able to," said Cannon.
"This isn't because of Google's response process, but because of the way mobile handsets have to receive OS updates from device makers. I therefore believe it's better that users are given a chance to protect themselves at an early opportunity, or at least understand the immediate security risks," Cannon added.
Another means of reducing the vulnerability would be to use a potentially vulnerable mobile handset without an SD card, Cannon hinted.
In a statement, a Google spokesman acknowledged the security issue and said it was in the process of developing and releasing a security patch soon.
"Recently, we've developed a patch for another security issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android," said the Google spokesman.
Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," added Cannon.
You can link to the Internet Security web site as much as you like.