Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New security flaw discovered in the Android operating system

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

January 30, 2011

A computer scientist has discovered a new security flaw in the latest version of Google's Android mobile operating system that can be exploited to reveal sensitive user information.

The data-stealing vulnerability in Android version 2.3 (dubbed Gingerbread) allows potential attackers to view and upload photos, voicemail and other data stored on a mobile handset's SD memory card said Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.

The security hole, which is exploited when a user clicks on a booby-trapped link, also allows attackers to upload phone apps to a remote server and without the user knowing anything about it.

He said proof-of-concept code successfully carries out the attack on a standard Nexus S phone, which comes with Gingerbread already installed. It's not clear if the attack works on other brands that also run the latest operating system, however.

“We've already incorporated a patch for a security issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone,” a Google spokesman wrote in an email. “We're in constant communication with all our partners.”

The security patch will ship in an upcoming 2.3 maintenance release, Google said.

The information-disclosure threat is similar to one disclosed in November in Android 2.2 by researcher Thomas Cannon. Both security vulnerabilities disclose data only when an attacker knows the precise name and path of a file stored on an SD card.

But the exploit can't break out of the security sandbox, so system data and email, SMS messages and files stored on the phone itself remain off limits, at least for now.

Work arounds until a permanent patch is available include disabling Javascript in the Android browser, using an alternate browser or removing the SD card altogether.

The new but very serious security vulnerability discovered in November could allow hackers and Internet attackers to access private data from SD cards in Google smartphones and MIDs (mobile Internet devices).

Thomas Cannon discovered the JavaScript-related security vulnerability outside his normal job as a corporate security officer. The flaw would allow malicious websites to grab the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

Additionally, it would also be possible to retrieve a limited range of other private information and specific files stored on the Android phone using this vulnerability.

The Android security vulnerability arises because of a combination of various factors that mean that when a file from a wireless content provider is opened, the built-in Android browser will run JavaScript without prompting the user. It should prompt the user first, Internet security experts say.

JavaScript running in the context of a content provider can use the xml http protocol (ie AJAX) requests to sniff the contents of files and other data, whether it is of sensitive nature or not.

Redirects can then be used to post the data back to a malicious website.

Cannon has gone public ahead of a update to the Android OS he says will be necessary to fix the problem in order to warn other users of the security risk. He was very keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

"Google's response so far has been excellent. I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However, in this case, I don't believe they will be able to," said Cannon.

"This isn't because of Google's response process, but because of the way mobile handsets have to receive OS updates from device makers. I therefore believe it's better that users are given a chance to protect themselves at an early opportunity, or at least understand the immediate security risks," Cannon added.

"I came across this security vulnerability while doing some independent research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers. I was surprised to see that just a simple HTML page with some JavaScript on it could query the content providers and realized that this could be triggered by a malicious site," he added.

Cannon suggests that all Android OS users should either disable JavaScript or use an alternative browser - such as Opera or Firefox - to mitigate against the risk of attacks pending a more comprehensive fix from Google.

Another means of reducing the vulnerability would be to use a potentially vulnerable mobile handset without an SD card, Cannon hinted.

In a statement, a Google spokesman acknowledged the security issue and said it was in the process of developing and releasing a security patch soon.

"Recently, we've developed a patch for another security issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android," said the Google spokesman.

Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," added Cannon.

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Source: Google.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Do it right this time. Click here and we will take good care of you!

Get your Linux or Windows dedicated server today.