back to article Android flaw poses drive-by data slurp risk

A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets. Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow …

COMMENTS

This topic is closed for new posts.
  1. src
    Unhappy

    Samsung Support

    Since buying my Samsung Galaxy in October 2009 there has been exactly one update provided by Samsung. This "update" still left me running the ancient version 1.5 of the OS. What is the likelihood that I will see a fix for a security problem like this?

  2. Tommy Pock

    Just as I do on my PC

    I use Opera on my phone, so things like this don't affect me. Thanks for the heads up though.

    1. Steven Knox
      Headmaster

      Correction

      "I use Opera on my phone, so things like this don't affect me -- as far as I know."

      Corrected. I'm an Opera fan myself, partly for it's relatively good security track record, but my excessive pedantry will not allow such a broad statement to pass. Every browser has its security flaws, and often the ones we don't know about carry the most risk.

  3. [Yamthief]
    Megaphone

    It's frustrating...

    ...being an owner of an Android device which isn't a Nexus for this exact reason. The instant a bugfix or a new version of the OS is released, it takes ages to work it's way through the manufacturers, then the carriers. I still don't have 2.2. There are a lot of phones which are stuck on 1.6. I think upgrading the handset to a latest model is the best way to keep the software up to date :(

    I would have thought that if it's a straightforward thing to fix, it could be done by an "update.zip", but this may be another thing that the "fragmentation" of Android makes slightly more difficult to carry out.

  4. Push the red button Igor ...

    A blessing in disguise?

    <unrealistic_dream_mode>

    All we need is for Google to release the patch/update now, and for a group of users to then fall prey to this flaw because their mobile service providers had not provided the update. Would the users not then have a case to pursue some sort of claim against the service provider?

    Of course, the service providers are themselves subject to delays because of the handset manufacturers, so wouldn't they also have a case to effectively 'pass on' the claims to the manufacturers?

    End game: we get a straigter path from OS Developer to Handset User, and everyone sleeps more easily.

    </unrealistic_dream_mode>

  5. JaitcH
    Happy

    How refreshing, how different: Major OS owner admits defects:

    Unlike a certain walled, perfumed California garden where everything is declared to be perfect Google, without any prevarication, openly admits an error. Obviously the response of an entity with credibility.

    Others pretend there is no problem whilst working their butts of to correct the deficiencies.

    1. ThomH

      Is anybody talking about Apple?

      I really don't see how Apple are at all relevant to this discussion. I can also think of other major OS owners that admit defects, making this not refreshing or different at all. Microsoft are one such.

      1. Tempest
        WTF?

        @ Is anybody talking about Apple?

        Jobs repeatedly denied there have been problems with the Lemon 4.

        Realists call this lying, avoiding the problem, etc. Just as well the walled, perfumed garden has a large sandpit - that pair of Jeans is all that shows as Jobs buries his head in the sand.

        1. Sean Baggaley 1
          FAIL

          "Research"...

          ... doesn't mean clicking twice on your browser's "search" button.

          Perhaps you'd care to explain Apple's release of OS X "Snow Leopard" to the class... or did you miss the part where Jobs *explicitly* stated that their focus for the OS X 10.6.x included such trivial features as _stability_?

          (I can point you at the relevant videos if you like.)

          Also, if Android is so effing awesome and perfect, why isn't it still on version 1.0? Oh right: it isn't. It has bugs. It sucks no more or less than every other bloody OS on the planet and is no more or less prone to bugs, security problems and so on.

          *

          The iPhone 4 "Antennagate" issue appears not to have been such a big problem after all: Check out the sales of the device if you don't believe me. The iPhone 4 has sold *better* than its predecessor.

          Either all those customers are perfectly satisfied with the reception they're getting, or the media were just whipping up a storm in a teacup. The latter option is, of course, utterly unthinkable given the news media's unassailable reputation for factual accuracy, rock-solid research, and only telling us the truth, the whole truth, and nothing but the truth.

          (Yes, I found it hard to write that last bit with a straight face, so I can understand how you might have difficulty reading it with one.)

    2. Anonymous Coward
      Flame

      Is this the same "credible" company...

      ...that (allegedly) steals intellectual property and has scant regard for any users privacy? Fucking fandroids, when are you going to actually smell what you are shovelling? ALL the major players are as bad as each other. Shush. Fekkin' dullard.

  6. Anonymous Coward
    Flame

    Weak link?

    I thought Android fragmentation didn't exist and was a myth made up by Steve Jobs? How can this be, thats unpossible!!

    1. petur
      Troll

      RE: Weak link?

      What does this have to do with fragmentation? Nothing. Stop trolling...

      What android needs is an update system like for example ubuntu (and to some degree the nokia n900), where updates can be pushed (the owner still decides if he installs). On n900, the updates come through for apps, not for the OS itself. But there's a community (with patched kernels) that deals with it there....

      1. Anonymous Coward
        Anonymous Coward

        As you seem to have missed it, Petur...

        The fix is only going to be made available to people who can install the very latest update to Android. Ergo, a massive number of Android owners are going to have to wait months and months for it to be released for their handset, and a substantial chunk are never going to receive the update. The fragmentation issue has everything to do with this.

  7. Tom 7

    When you reinvent the wheel

    it may be a while before you realise you've reinvented the traffic accident in a long alpine tunnel as well.

    Hence MS update....

  8. Anonymous Coward
    Boffin

    Updates

    Security updates (as opposed to feature updates) should not have to go through device manufacturers or network operators. It should be the case that they are pushed directly from the OS manufacturer. Of course, the waters muddy when a security update breaks existing manufacturer or network operator code....

  9. MaXimaN
    Troll

    Obvious

    Obvious Troll is obvious.

    The time taken for Android updates by manufacturers is largely due to having to update the layers of custom UI bloat - such as HTC's Sense, which is actually not that bad - followed by testing time by the operator.

    In the case of a fix for this there shouldn't be a great deal of work to do by the handset manufacturer and a limited amount of testing required by the operator. So if Google can come up with a fix for this then an update should be available within weeks, rather than months.

    1. David Dawson
      Go

      I agree on every point, but...

      As you say, HTC sense actually ain't that bad.

      Of all the manufacturers, HTC has delivered 2.2 on many of its handsets, whereas the many of the ones shipping (mostly) vanilla android haven't yet done so.

      And then we have motorola and sony ericsson, who are leaving people stuck on 1.6.

      Not sure what the point of this comment was really. I agree I think.

      1. Anonymous Coward
        Happy

        not quite...

        "Of all the manufacturers, HTC has delivered 2.2 on" it's newer "handsets", leaving everyone else out in the cold despite initially promising to upgrade every model. TFTFY!

        petur, this is *textbook* fragmentation, or are you just another delusional fandroid? I suspect it's the latter...

  10. andy gibson

    Hacker needs to know the file name and location?

    What next? The hacker needs to know the contents of the file?

    1. Michael C

      we know lots of these

      its called the e-mail repository, contact database, or any other core file containing user data we might want. The name and path are determined by the OS. in any android device with little or no internal storage, these files will be on SD.

  11. Tigra 07
    Flame

    No tit required, Sony Ericsson has enough of em

    Good job there's other browsers or Sony Ericsson might actually have to get off their arse and bring the updates out faster.

    I'm still waiting for 2.1 that was promised in september!

  12. Tommy Pock

    Quick tip for X10 owners, possibly others.

    If you're on O2 and you can't update yet, uninstall the bundled PC Companion, and install the one available from the Sonyericsson website. That'll find and install the OS update.

    1. Tigra 07
      Happy

      RE: Tommy Pock

      Cool, will try that =]

      thanks

      1. Tigra 07
        Thumb Up

        RE: Tommy Pock

        Anyone who couldn't update using the Sony Ericsson update manager should use the SEUS.

        It's quicker and actually works

  13. Michael C

    More power = more issues

    iOS ain't that bad. It has issues, and limits, but being single sourced for patches and updates, and a trong commitment to ensure devices get those patches for at least 2 if not 3 years, means I don;t get left in the cold with my brand new device and a security hole that will never be patched.

    This is a limited attack, but they're getting more and more serious, and better designed, and sooner rather than later there will be a "critical" class security breech on the OS, and for millions of owners they'll have no defense other than to turn it off.

    If you own an android that isn't already running 2.2, i suggest you join a class action suit somewhere (or start one) to get a guarantee (and SLA) on patch releases and updates for at least last-sale-date + 2 years.

    I love android. I think its a fantastic and powerful OS. I'll not own a device with it on it until I get such a guarantee.

    I don't have one necessarily from apple, but enough people WOULD sue apple (and win) if they stopped patching devices still under warranty, not to mention they actually do care about their consumers, and have a good history of patching (viable) threats with speed (they take their sweet time on incomplete POC exploits and attacks that have no viability to actually work, and they should take their time, when we have no real risk).

    Google needs to get control of the vendors. Until that happens, android is a security issue waiting to happen. This is going to get bad fast.

  14. Anonymous Coward
    Happy

    Dolphin HD

    I started to use Dolphin HD a my browser a few weeks back. its fast and more powerful

    than the built in one.....its probably got flaws too.. I note that its up in the top 5 right now according to AppAware - probably because of this scare

  15. Anonymous Coward
    Anonymous Coward

    Andrones

    Please do not expect the andrones to listen, you are wasting your breath. They love google, they hate apple and microsoft, anything that suggests Android may not be the be all and end all will reult in an attack on Apple (relevant or not).

    Andrones are as bad as the bloody fanbois.

    I own a 3GS, its due for a renewal soonish, would like an Android device, but not willing to take any device that is not going to get updates from the manufacturer (downloading ROMs from the web does not count as support). If google get out a nexus 2 that might be my next device, or I will wait to see if any hardware mfrs begin to support the android platform properly (and not just expect me to buy a new phone to ensure security and features are kept up to date).

This topic is closed for new posts.

Other stories you might like