Security Expert Warns Of Android Browser Flaw

Tom Jowitt,

Google is working on a fix to a zero-day flaw that could see Android users’ data being accessed by hackers

Google Response

“We’ve developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user’s SD card,” said Google, in an emailed statement to eWEEK Europe UK. “We’re working to issue the fix to our partners and open source Android.”

Google reiterated that this issue can only affect users who browse to a specially crafted website, and it requires knowing a file’s name and directory path in advance. The search engine giant also said that it is creating an advisory to be shared with its partners about this issue.

Google also pointed out that the issue is contained within the Android browser sandbox, and that file names are not easy to guess or predict, particularly on later Android software versions. It said that photos on devices running Froyo, for example, are not numbered with a standard pattern.

End User Advice

In the meantime however Cannon is advising Android users to take a number of steps to protect themselves.

“I don’t expect to see the exploitation of this issue become widespread, but if you are really worried about it there are a few things you can do to identify it or prevent it,” he wrote.

His advice is as follows:

  • When the payload is downloaded it generates a notification in the notification area, so watch for any suspicious automatic downloads. It shouldn’t happen completely silently.
  • You can disable JavaScript in the browser (uncheck “Settings > Enable JavaScript”)
  • You can use a browser such as Opera Mobile for two reasons: 1) It prompts you before downloading the payload 2) If a vulnerability is found you can easily update a 3rd party browser after they release a fix.
  • Google have advised that another option is to unmount the SD card (“Settings > SD & phone storage”). This could have an impact on the usability of the device but for some situations, perhaps in organisations, I can see this could work. It has not been fully tested, however.

“A word of caution though, you may prevent the automatic exploit this way, but as always you will still need to be vigilant and watch for other vectors, such as an HTML file sent through email,” Cannon warned.

This is not the first time Android has suffered security concerns. Security firm Coverity recently conducted an analysis of the kernel used in the Android smartphone software, which turned up 88 high-risk security flaws that could be used to expose users’ personal information. And earlier this month, Google’s Android Market reportedly had major problems letting Android smartphone  users download and install apps.

The next version of Android 2.3 (Gingerbread) is reportedly close to being released to all users, after Google shipped the next version of the OS to its Nexus One smartphone users in early November.