Print
UK-based security consultant Thomas Cannon has identified a serious security flaw in Google's Android operating system. The exploit works on all versions of the platform, and could allow an attacker to view, and copy files from a device's SD card. Some of the important details are being held back by Cannon so Google has a chance to fix the exploit, but we do have an idea how it works.
A malicious website causes the browser to download a specially coded HTML file to the phone's SD card. Once there, the file is executed by JavaScript running on the site. When this HTML file is run locally, it is able to run JavaScript without user consent. An attacker can use this scripting access to copy files from the SD card. The only hitch? The exact filename and path must be known ahead of time.
This is not, as far as anyone knows, being actively exploited anywhere. There are some apps that always store important files in identical directories when installed, so it is possible an attacker could know where some files are kept. It is unclear what Google will do about this. All Android phones are affected. Will manufacturers and carriers be willing to push out updates even for older phones?
Image via Thomas Cannon
Comments are closed on this article
creek
November 25, 2010 at 1:56am
iOS has security flaw, users can require apple to solve it, correspondingly, if Android has security flaw, do we should require google? I'm a app creator of iFunia, creating video converter for apple, for apple's walled garden rather than opened Android.
Caboose
November 25, 2010 at 9:44am
I understand you're nothing but a spammer, but really, you should try a little harder.
You can REQUEST assistance from Apple, but Apple refuses to admit that they have any security flaws, until enough people bring it to light and the media catches wind of it. Then Apple will swoop down with a fix saying that they knew about it all along! The Android community relies on itself to repair a lot of issues. Some handset manufacturers will also release security fixes, etc.
Thirdly, you're an idiot!
