Researchers at North Carolina State University (NC State) have discovered a security vulnerability in Android 2.3 that allows unauthorized access to files on a device’s storage card. The vulnerability was first discovered in Android 2.2 last year, and Google promised to patch it in the next version. However, a researcher has revealed the hole still exists in 2.3 on Google’s own Nexus S handset.

Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed,” wrote Xuxian Jiang, an assistant professor at NC State University.
We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone,” he said.

If a user is tricked into visiting a malicious site, the flaw could let hackers view any files stored on the SDcard, as well as view a list of apps and upload them to a remote server. Jiang noted that because Android is sandboxed, the attack can only access a few files other than those on an SDcard. Jiang adds that to read and upload files the exact path and filename needs to be known.

Google’s Android Security Team was made aware of the vulnerability and has confirmed its validity. Google told Jiang that an “ultimate fix” will be included no later than the next “major release of Android”. The next release of Android that is likely to be classified as major looks to be Android 3.0, known as Honeycomb. Given that the Nexus S is the only phone running Android 2.3 at the moment, let alone the next major release following that, Jiang offers some advice to those who want to mitigate the security vulnerability.

Jiang suggests disabling Javascript or switching to a third-party web browser such as Mozilla’s Firefox. He adds that unmounting the /sdcard directory will also help, however that might “greatly affect the usability of the phone”. Despite Google’s failure to fix the flaw the first time around, Jiang praised the company for its quick response. “From the interaction, I can tell that it took this issue seriously and the investigation was started immediately without any delay.

Google might offer patches to serious security vulnerabilities such as this, but users might have to wait for handset manufacturers to tweak and release the next version of Android before they get the fixes.

|