Android 2.3 security vulnerability allows remote viewing of files

RESEARCHERS at North Carolina State University (NC State) have discovered a security vulnerability in Android 2.3 that allows unauthorised access to files on a device's storage card.

The vulnerability in Android 2.3 was discovered by Xuxian Jiang, an assistant professor at NC State's Department of Computer Science. Jiang claims it is similar to one reported in Android 2.2. That vulnerability was supposed to have been patched in Android 2.3, however Jiang says the patch is "not an ultimate fix and can still be bypassed" in Android 2.3.

Jiang and his colleagues used a Nexus S to demonstrate a proof-of-concept exploit, which he says can obtain a list of installed applications on a device, upload the applications to a remote server and, most worrying of all, read and upload the contents of any file that is stored in the device's /sdcard folder. Jiang adds that to read and upload files the exact path and filename needs to be known.

Google's Android Security Team was made aware of the vulnerability and has confirmed its validity. Google told Jiang that an "ultimate fix" will be included no later than the next "major release of Android".

The next release of Android that is likely to be classified as major looks to be Android 3.0, known as Honeycomb. Given that the Nexus S is the only phone running Android 2.3 at the moment, let alone the next major release following that, Jiang offers some advice to those who want to mitigate the security vulnerability.

Jiang suggests disabling Javascript or switching to a third-party web browser such as Mozilla's Firefox. He adds that unmounting the /sdcard directory will also help, however that might "greatly affect the usability of the phone".

Google might offer patches to serious security vulnerabilities such as this, but users might have to wait for handset manufacturers to tweak and release the next version of Android before they get the fixes. µ