Android Browser Flaw Exposes User Data

[nsane.forums]

A vulnerability in the Android browser could permit an attacker to steal the user's local data, according to a report yesterday from security expert Thomas Cannon.

Specifically, a malicious Website could use the flaw to access the contents of files stored on the device's SD card as well as "a limited range of other data and files stored on the phone," Cannon explained.

In essence, the problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he noted.

A video included with Cannon's post demonstrates the exploit in action using the Android emulator with Android 2.2, or Froyo, but Cannon has found it on an HTC Desire with Android 2.2 as well. Heise Security was able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2, according to a report on The H.

For the demo, Cannon first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.

Protective Measures

The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated.

In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:

* Disabling JavaScript in the browser.

* Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.

* Using a browser such as Opera Mobile, which prompts the user before downloading files.

* Unmounting the SD card.

The Android Advantage

Though it is clearly a vulnerability that needs to be addressed, there is good news in Cannon's discovery as well.

First, "it is not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system," Cannon pointed out. Rather, it exposes only files on the SD card and "a limited number of others." System directories, in other words, remain protected.

Second, "you have to know the name and path of the file you want to steal," he added.

View: Original Article

[tipo]

A flaw affecting the default Android browser allows remote attackers to steal data from smartphones, as long as they know the location of targeted files on the SD cards.

The security issue was discovered by a pen tester named Thomas Cannon while he was assessing the security of an application, and according to him, it's the result of a combination of factors.

First of all, the default Android browser doesn't prompt users when downloading an .html file. A notification is generated in the notification area, but the action itself doesn't require approval.

In addition, JavaScript can be used to automatically open the downloaded file, causing it to be parsed in the context of the local storage.

The same origin policy normally prevents code from accessing remote resources, but since this file is rendered locally, the restriction does not apply.

"While in this local context, the JavaScript is able to read the contents of files (and other data)," Cannon explains. This information can then be sent back to the remote server.

The attackers need to know the exact name and location of the targeted files, but some applications always store data in the same place. For example, camera pictures are saved with consistent names that can be determined in advance.

The vulnerability was reported to Google last Friday and the company plans to include a fix for it in the first maintenance release of the upcoming Android 2.3 (Gingerbread).

However, since most device manufacturers handle Android updates on their own, usually in an untimely fashion, it will probably take a long time until many phone models will get a patch.

Because of this, Cannon, who is normally an adept of responsible disclosure, has decided to make the issue public now in order to give users a heads up.

Possible mitigation solutions include disabling JavaScript in the browser under "Settings > Enable JavaScript," not using an SD card, or switching to a different browser like Opera Mobile. For many reasons, the alternative browser solution is the most practical one.

link

[DKT27]

Threads merged. Please search before posting. Tip: News bot makes max 3-4 threads in a day in security and privacy news. :rolleyes: