About a month ago, we learned of a WebKit-based bug that would could affect Android users on 2.1 and below, and today another Android browser flaw has come to the light. This time, the exploit (which you can see in action here) involves JavaScript and allows access to files stored on the device's SD card as well as a "limited range" of other data on the handset. The problem is that the stock Android browser doesn't alert a user when a file begins downloading, meaning that the exploit can take place without any sort of prompt or warning to the user. The Android Security Team is aware of the issue and says that a patch will be included in a Gingerbread maintenance release. If you'd rather not wait that long, here are some suggestions to help protect yourself:
Disabling JavaScript in the browser.
Watching for suspicious automatic downloads, which should be flagged in the notification area. "It shouldn't happen completely silently," Cannon notes.
Using a browser such as Opera Mobile, which prompts the user before downloading files.
Unmounting the SD card.
While I'm glad to see the Android Security Team respond to the issue so quickly, it's kind of disappointing that we'll have to wait until after Gingerbread is launched to see a fix. Sure, you don't hear about mobile attacks very often, but the fact that a user could unknowingly have their data accessed is a little unsettling. Plus, there's the fact that many Android phones won't see Gingerbread. Heck, there's a lot of handsets that won't even get 2.0! Here's to hoping the big G can get a fix going for all the users below 2.3 at some point in the future. If not, I'm sure the Android hacking community could get something together.
No comments:
Post a Comment