Security Expert Warns Of Android Browser Flaw

Tom Jowitt,

Google is working on a fix to a zero-day flaw that could see Android users’ data being accessed by hackers

A British security expert, Thomas Cannon, has a discovered a potentially serious vulnerability in the Android browser that could lead to a user’s data on their mobile phone or tablet device being exposed to attack. Google confirmed to eWEEK Europe UK that it is currently working on a fix.

Cannon discovered the vulnerability in the Android browser and then informed Google, before posting information about the flaw on his blog.

“While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,” Cannon wrote. “It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.”

SD Card Data

Cannon said that he had been asked (“nicely”) not to reveal too many details about the flaw, which he agreed to do as it was his intention “to inform people about the risk, not about how to exploit users…”

Cannon described how, if a user happens to visit a malicious website, the flaw will allow hackers to access the contents of files stored on the handset’s SD card, as well as “a limited range of other data and files stored on the phone,” Cannon explained.

Put simply, the problem is potentially serious because the Android browser does not prompt the user when downloading a file, but instead automatically downloads the file to a specific directory on the SD card.

JavaScript could be used to automatically open this payload.

Then, once the JavaScript has the contents of a file it can post it back to the malicious website,” wrote Cannon. “This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort.”

All Android Versions

What this means is that the flaw affects all versions of Android, even the latest Android 2.2 (Froyo) and some of the most popular mobile handsets, such as the HTC Desire running Froyo. Cannon also said that he found the flaw on the Android emulator (1.5, 1.6 and 2.2) in the SDK.

Meanwhile Heise Security revealed on The H Open website that it was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2.

The good news however is that there is a limit to this exploit, as the hacker has to know the name and path of the file they want to steal.

“However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too,” warned Cannon. “It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.”

Cannon demonstrated the ‘proof of concept’ exploit in action in a video posted on his blog page, which can also be found here.