Security Expert Warns of Android Browser Flaw 98
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
linkbait (Score:3, Informative)
1. Have to know full path to a file to view it.
2. Have to download a file, presumably from someone you don't know and trust.
3. This is in all browser versions, so how exactly does fragmentation factor in?
Like everything else, buzzwords like Android fragmentation guarantee hits.
Abuse of "zero-day" term? (Score:5, Informative)
"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.
TFA says Cannon gave Google prior warning, so this isn't zero-day, right?
http://en.wikipedia.org/wiki/Zero-day_attack [wikipedia.org]
I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.
Re:linkbait (Score:2, Informative)
You didn't read TFA did you?
1. Many file paths are standard and known, they are set by the OS or application.
2. The download is automatic, when you visit a malicious website
3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.
Re:linkbait (Score:5, Informative)
Fragmentation affects the creation and distribution of the patch.
Re:Chester Wisniewski's point is invalid, IMO (Score:3, Informative)
They just don't want to spend any more money on it. Android code gets released, then the OEM customizes it, and then the carrier finally customizes it. That's a lot of work -- the 10 or so current phones they've got out, plus their entire back catalog. They've already got your money. So long as it doesn't affect their network, why do they need to bother? It only takes one of the OEM or carrier to decide it's not important.
Chester was entirely wrong about Windows Phone, too, unless he is confusing it with Windows Mobile (the pre-7 stuff). Windows Phone 7 is the complete opposite of how Android is doing it: Microsoft is basically trying to create an iPhone competitor in every way, but allowing for multiple devices. To do this they made very stringent hardware and software requirements -- all the phones are basically exactly alike on the inside. Samsung couldn't even use their own Hummingbird processor, because Microsoft only allows the Snapdragon. They also don't allow OEMs or carriers to modify the OS -- the most they can do is pre-install some apps, which act like every other app, so they can be fully removed and are automatically updated.
Because of this, updating the OS is very very easy. There is no fragmentation, and Microsoft plans to push out all the updates themselves, exactly like Apple does. There might be a short delay between carriers to certify that it won't bork their network, but that's all. (Apple can hide this because they only have to do it with one carrier)
Re:Chester Wisniewski's point is invalid, IMO (Score:2, Informative)