New Android Exploit Discovered To Steal Data

mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."

Re:Windowsesqe

[thetoadwarrior]

I am a bit unimpressed with how rubbish Android can be at telling you something is wrong. Some apps appear in the market and I can't install them. All it says it can't download them. So of course I keep trying and it fails. So is it a network error or will it never install because actually it won't run on my G1 and should it even be showing up in the market for me? It's not like it downloads it at all so it's aware of whether my phone can run it in advance so why the generic message?

I had to do a factory reset on my phone after a google created app killed the phone. I suspect it was google maps. I say that because even after doing that and maps was then updated again it would always crash everytime I started up the phone. I believe it was about a month later until it was fixed.

Today my phone and home button quit working and when bringing up the shut-down menu the only option that was there was to turn the phone off. I searched and most people just did a factory reset. I wasn't about to do that. I haven't installed any apps since the last ordeal where I had to do a factory reset and no apps were updated in ages so as far as I was concerned no factory reset should be needed.

What it was in the end is something like the cookie data for communicating to Google got corrupt for as best as I can tell no good reason. I'm not sure why that should put the phone in a nearly broken state and absolutely no warning message whatsoever so you're left thinking the buttons are broke or something worse. I found you can clear you google apps cache and log back in and it fixes it. That's ridiculous, imo. I have version 1.6 of Android and there are people with at least 2.2 experience this problem. It's not like they're unaware of it.

I can't bring myself to pay out for an iPhone but I have to say I'm really tempted. The idea of having a phone where you have to worry about it fucking up for no apparent reason and with no warning message is awful. I'm trying to convince myself that even if I get an android phone cheaper I'm still locked in a contract so it is a big deal. But even if I want to pay for an iPhone I don't entirely agree with how Apple manages their app store but more and more I understand completely why they do it.

Market updates?

[ace123]

<rant>
Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)

Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?

Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?

Google, are you serious? </rant>

. /me updates Firefox with the hope of getting a less buggy version

Re:Just dont use the stock browser

[bemymonkey]

I dunno, isn't the entire underlying engine vulnerable? Browsers like Dolphin don't implement their own engine, but rather just wrap around the existing browser...

Opera and Firefox should be fine though.

Re:Market updates?

[bemymonkey]

It's inexplicable. This is one area where Google needs to do some serious catching up...

Outbound Firewall

[slifox]

My phone has too much sensitive data to allow just any random program connect to the internet. So, my default iptables policy is to drop all outbound packets except those matching a whitelist of apps (set by the app's userid). This includes not allowing uid=0 outbound access, in case malicious apps escalate to root.

DroidWall gives a convenient interface to manage the iptables rules (requires a rooted phone).

Yes, this is overkill for a regular user, and it cuts out a lot of the convenience of a smartphone (being able to run many internet-using apps). But for me it's less of a toy and more of a personal communication device (email, and yes, occasionally phone :) as well as a personal assistant (data storage, GPS mapping, etc). I wouldn't give a random Windows desktop access to all that data, and Android is becoming very similar to any random Windows desktop (high marketshare of devices; many apps; apps are easy to install; apps can abuse their privileges or often request too many privileges; user base is willing to run any app they see on a whim => exploiters have motive and means to attack)

On the other hand, the fact that very few "regular users" use iptables on their phone, means that exploiters have no reason to try to target and bypass it. ;) sometimes it's good to be different

Combining a strict firewall with some prudence in which apps are downloaded/run results in a pretty secure platform.

(and yes, the data is encrypted/protected against physical loss and communication interception)