Forgot your password?
typodupeerror
Android Security Cellphones Handhelds

New Android Exploit Discovered To Steal Data 98

Posted by timothy
from the damn-androids-have-no-consciences dept.
mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."
This discussion has been archived. No new comments can be posted.

New Android Exploit Discovered To Steal Data

Comments Filter:
  • You'll see boobies. I promise

    Seriously, the only way you can protect users is to take the phone from them. be consious about whatt youre doing with your phone. despite it acting like a computer that fits your pocket its still just a phone.

    • I generally would agree with you, but in cases like this it is not necessarily the user's fault. If the bug is really like the article describes, just clicking a link can exploit it - and you can avoid clicking in the "click here to see boobies", but not some google results that appear to be legit, or some links in forums, etc. If in fact you need to RUN something, then, yes, it will be the user's fault.

    • by qbast (1265706)
      Hey! I clicked dozen times and still no boobies! Internet must be broken or something ...
  • by Illogical Spock (1058270) on Saturday January 29, 2011 @03:37PM (#35044394)

    Im not minimizing the problem or its potential consequences, but the article says:

    For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now.

    So the problem is the browser, not the OS, and it can be circumvented by using another browser (what a lot of people do, for example Opera and Dolphin). Good to know, since I use Dolphin most of the time, and Firefox Beta (still terribly buggy) now and then.

    • by bemymonkey (1244086) on Saturday January 29, 2011 @04:45PM (#35044724)

      I dunno, isn't the entire underlying engine vulnerable? Browsers like Dolphin don't implement their own engine, but rather just wrap around the existing browser...

      Opera and Firefox should be fine though.

  • The Nexus S doesn't have an SD card slot, I assume the exploit also allows uploading of anything in the phone's internal storage area but "removing the SD card" as a workaround isn't going to work on the Nexus S!

    • It will work. The phone will be dead, so nobody (even you) will read or write anything in the SD anymore. :-)

      (I have a Nexus, and the only think I couldn't understand and think would make the phone even better is the lack of a SD port)

    • by Tacvek (948259)

      Android devices have two main storage locations. One is internal storage. That term specifically refers to the device mounted on /data , in which user downloaded apps, and internal app data is stored. (This is in reality pretty much always a partition on the same storage device as provides the partition mounted on /system (a.k.a. the "ROM")).

      The other is known as shared storage, and it is invariably SD. On phones without an external SD card slot, this is either an internal SD card slot, or more frequently a

  • Market updates? (Score:5, Interesting)

    by ace123 (758107) <patrick.horn@gmail.com> on Saturday January 29, 2011 @03:55PM (#35044476) Homepage

    <rant>
    Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)

    Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?

    Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?

    Google, are you serious? </rant>

    . /me updates Firefox with the hope of getting a less buggy version

    • Re:Market updates? (Score:4, Interesting)

      by bemymonkey (1244086) on Saturday January 29, 2011 @04:47PM (#35044734)

      It's inexplicable. This is one area where Google needs to do some serious catching up...

      • by fluffy99 (870997)

        I would love to see Google try to reign some of the uncontrolled nature of Android back in. Establishing a central software repository of all of the forks of Android would be a create start. All of the manufacturers that have tweaked Android for their specific devices could provide copies of their loads, ideally including the source and details of their changes. This would give users one central place to look for updated 'firmware' (yeah I know, but that's what the vendors keep calling it). As it stand

        • by exomondo (1725132)

          I would love to see Google try to reign some of the uncontrolled nature of Android back in.

          That's the downside of the free open source nature of Android though, anyone can use it, anyone can build a device that runs it and anyone can lock it down on the device they sell.

          • by fluffy99 (870997)

            I would love to see Google try to reign some of the uncontrolled nature of Android back in.

            That's the downside of the free open source nature of Android though, anyone can use it, anyone can build a device that runs it and anyone can lock it down on the device they sell.

            And unfortunately, anyone can and does sell crap hardware with Android on it which severely tarnishes the reputation of Android. China is flooding the market with low-end, very slow hardware. People are getting frustrated and getting the perception that Android is garbage and not user friendly. It doesn't help when the high-end tablet makers can't seem to sell anything that doesn't cost $2-300 more than an iPad.

            • by exomondo (1725132)

              China is flooding the market with low-end, very slow hardware. People are getting frustrated and getting the perception that Android is garbage and not user friendly. It doesn't help when the high-end tablet makers can't seem to sell anything that doesn't cost $2-300 more than an iPad.

              That's the core issue, the average consumer isn't going to be able to justify spending $600 on an Android tablet that has a 7" touchscreen, GPS, wifi, 3G, etc... when they can get one with the same features for $159, nevermind the fact that the hardware in the cheap one is rubbish and slow and only runs Android 1.6.

              They need to try them out side-by-side, but even then once they've been lured in with dirt-cheap prices the chances of actually spending 400% of the cost of the cheap one are quite slim.

    • by fluffy99 (870997)

      Assuming the phone even has access to the Market. Many don't have access to the standard Android Marketplace and can only get to the one the telco restricted the phone to. For the slew of Tablets out there, many can't get to the Android marketplace either. Also note that many of those are running dead-ended or proprietary/custom builds that are no longer supported and might not see any future updates at all.

      The "fragmentation" of Android is perhaps it's biggest shortcoming. There is not such thing as a s

    • They've had built-in apps that you couldn't update through Market until recently-- Mail and Maps are two well-used examples.

      While I agree with your sentiment that they should've employed at least a bit more forethought to this, this could motivate them to detach the browser from the OS (assuming that's possible), and push it as a standalone app on the Market where it can be updated independently of the OS.

      What would be ideal, though, is updates for all OS components through the Market, similar to Ubuntu OS

      • Mini-rant (and OT): The HTML tag <i> was permitted before the update, now the current comment software filters it out in "Plain Old Text" mode for some reason-- it's even in "Allowed HTML", for goodness' sakes. I don't suppose this is a test case that was overlooked? Maybe the new CSS sets a rule for the tag to "text-style: normal;"?

    • by drinkypoo (153816)

      . /me updates Firefox with the hope of getting a less buggy version

      Apparently you're not running Minefield, which was working fine for me a couple weeks ago, and now explodes or ignores clicks before I can even get a page open.

      On a vaguely related note, wine1.3 worked for HL2 two weeks ago, then didn't a week ago, now does again. I love wine, for all my bitching.

    • by sridharo (1433649)
      Spot on!
  • I received a text message from someone I don't know that said "don't tell anyone with an iPhone, but there's another browser exploit in my Android phone!"

    I kid, I kid.

    • You are just joking, but I need to answer. ;-)

      The iStuff have the most severe exploit of all: Apple can do what they want with the iStuff, like delete things.

      And this one exploit will never be fixed.

      • by jo_ham (604554)

        So can Google. Both ecosystems have remote kill switches.

        Google has used theirs too.

        • How can they remove a program that Ive installed through my USB without knowing the name of the package? It can work for Market only, and theyve usedit once for a specific exploit.

          Anyway, I love to rant about Apple. ;-)

      • They might be able to remove an app from your phone, but they can't remove the backup you made to your PC.

  • Outbound Firewall (Score:4, Interesting)

    by slifox (605302) * on Saturday January 29, 2011 @06:38PM (#35045208)
    My phone has too much sensitive data to allow just any random program connect to the internet. So, my default iptables policy is to drop all outbound packets except those matching a whitelist of apps (set by the app's userid). This includes not allowing uid=0 outbound access, in case malicious apps escalate to root.

    DroidWall gives a convenient interface to manage the iptables rules (requires a rooted phone).

    Yes, this is overkill for a regular user, and it cuts out a lot of the convenience of a smartphone (being able to run many internet-using apps). But for me it's less of a toy and more of a personal communication device (email, and yes, occasionally phone :) as well as a personal assistant (data storage, GPS mapping, etc). I wouldn't give a random Windows desktop access to all that data, and Android is becoming very similar to any random Windows desktop (high marketshare of devices; many apps; apps are easy to install; apps can abuse their privileges or often request too many privileges; user base is willing to run any app they see on a whim => exploiters have motive and means to attack)

    On the other hand, the fact that very few "regular users" use iptables on their phone, means that exploiters have no reason to try to target and bypass it. ;) sometimes it's good to be different

    Combining a strict firewall with some prudence in which apps are downloaded/run results in a pretty secure platform.

    (and yes, the data is encrypted/protected against physical loss and communication interception)
    • So does or did this whitelist ever contain the default Android browser?

      • by slifox (605302) *
        No, and it doesn't have to by whitelisted for other things to work. Obviously you most likely want to include things like Gmail, Gtalk, and a few other odd system-related users. It'd be great to narrow it down even further, but you do what you can...

        I don't really think smartphones make very good web browsers anyways.

        Obviously there is no failsafe protection -- the best you can do is add some more layers and diversify enough that you're not part of a huge group of easy targets.
    • by tkprit (8581)
      For non-rooted androids, AndFire [google.com] (page has lots of "And..." apps, but AndFire is the Firewall) is decently solid. Imo. (I haven't rooted yet. Blimey, I'm lazy.) It's not in the Market, but the Market firewalls are pretty much crap imo.
  • I don't really follow the smartphone scene, but aren't there some Android-based phones that currently can't be upgraded to a later OS version? Are owners of those phones just less secure, or are there patches available, if not full upgrades?

    • by Anonymous Coward

      Most Android phones don't receive any official OS updates from the vendors. However there is a very strong 3rd party community that puts together custom firmware for just about any device. So as long as you're not afraid to root your phone and install a custom firmware, you'll be able to update just fine.

  • like most open source projects, the patch will be out in less than 2 days, then you can download, patch, compile and install. ohh, wait a minute ... where the the repo command in Android?

  • I do. Why don't you too? ;)

  • Just use Windows Mobile 7 which steals your data out of the box.
  • Maybe I'm reading this wrong, but it seems like if you d/l a different browser, you're good?

    (Though I'm actually glad Market doesn't automatically update stuff unless you specifically request it to check for updates; sometimes updates can suck. What Google SHOULD do is inform you of your options (d/l update; get new browser; turn off j/s), but I don't want them putting anything on my phone w/out my knowledge. That's so... **apple/microsoft**)

We are experiencing system trouble -- do not adjust your terminal.

Working...