Forgot your password?
typodupeerror
Google Cellphones Handhelds Operating Systems Security IT Technology

Security Expert Warns of Android Browser Flaw 98

Posted by Soulskill
from the memory-leak-leading-to-robot-revolt dept.
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'" Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
This discussion has been archived. No new comments can be posted.

Security Expert Warns of Android Browser Flaw

Comments Filter:
  • by Anonymous Coward on Saturday November 27, 2010 @06:00PM (#34360754)

    On iOS, vulnerabilities are only used for jailbreaks.

  • linkbait (Score:3, Informative)

    by Anonymous Coward on Saturday November 27, 2010 @06:03PM (#34360768)

    1. Have to know full path to a file to view it.
    2. Have to download a file, presumably from someone you don't know and trust.
    3. This is in all browser versions, so how exactly does fragmentation factor in?

    Like everything else, buzzwords like Android fragmentation guarantee hits.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You didn't read TFA did you?

      1. Many file paths are standard and known, they are set by the OS or application.
      2. The download is automatic, when you visit a malicious website
      3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.

      • 3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.

        So the problem is not fragmentation. The lazy ass OEM is not gonna help you quickly after you purchased something from it. While in the fragmented world of linux distribution you get a fix issued quickly (at least on the major distros, which are not few).

        So the real problem is "depending on lazy ass OEM", or "Not Having Control Of Your Device".

        • Re: (Score:3, Insightful)

          by Moridineas (213502)

          Your description would naturally seem to be part of fragmentation.

          If you have 20 vendors you can bet that some of them are going to be good about support, some are going to be ok, and some bad. If you have 50 android phones, you can bet some are going to be supported better than others. And so on. This, of course, has both positives and negatives, but it's absolutely part of being fragmented.

          If google could rollout a patch to Android OSes that could be applied to any phone and any carrier instantly, then yo

          • Re: (Score:3, Insightful)

            by vux984 (928602)

            Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4.

            And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

            When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone.

            And the original ipod touch.

            (which is now just shy of 4 years old)

            It was launched almost 4 years ago, i

            • Re: (Score:1, Troll)

              by Moridineas (213502)

              And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

              Oh you're right, that's true, I wasn't thinking about them since Android is only now starting to expand beyond cellphones. However, my point absolutely stands -- of the 9(?) devices/generations, almost all run the exact same version of iOS.

              It was launched almost 4 years ago, it wasn't DISCONTINUED almost 4 years ago.)

              Given most people had to sign a 3 year contract to get one there are lots of original models still in use. There are lots of original models STILL UNDER CONTRACT.

              What country are you in that requires people to sign a 3 year contract?? God, I thought American cellphone contracts were bad, and I've never seen one go beyond 2 years.

              I can't say for sure, not knowing what country you are in, but for the US (and I would assume the rest

              • by vux984 (928602)

                What country are you in that requires people to sign a 3 year contract?

                Canada.

                (and you would have read/understood if you weren't clearly just a android fanboi)

                While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.

                Some may be supported better, some may be able to be community supported, but you can bet a lot of handsets are going to be neglected not too long after release.

                Yep. But its really a question of each manufacturer, and

                • Canada

                  And 3-year contracts are really common in Canada? I had never heard this before...

                  While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.

                  Fair enough. Usually when people make comments like "One is quite enough" re: Apple, they come across as fanbois. My mistake for assuming.

                  Yep. But its really a question of each manufacturer, and has very little to do with "Android".

                  That's my point, comparing iOS to Android is a false comparison. Compare Apple to Motorola to HTC to Samsung to LG to whatever. Its the manufacturer that decides what support is going to be like, not the platform.

                  I think that's utterly irrelevant. Think about windows. Who sells PCs? Not Microsoft -- think Dell, Gateway, Acer, Asus, HP, Compaq, and so on. Who does the support? Well, it's a little bit more complicated, but basically the vendors and not Microsoft. Yet Windows/Microsoft is what has a hor

                  • by vux984 (928602)

                    And 3-year contracts are really common in Canada? I had never heard this before...

                    Yes. Very common. Usually you can take any of a 1 year 2 year or 3 year contract, but with iphone's it was 3-year only.

                    But even then the pricing structure is typically heavily skewed to induce the consumer into 3 year contracts. Here's an example from Telus:

                    529.99 - no contract
                    479.99 - 1 year
                    429.99 - 2 year
                    149.99 - 3 year

                    That's still pretty messed up.

                    http://www.telusmobility.com/en/BC/samsung_fascinate/index.shtml [telusmobility.com]

                    Well, it's a

                    • I'm not saying fragmentation isn't occurring. It has occurred. Because it has occurred its invalid to say that android has a problem updating its software, because its not androids problem.

                      Ok, I think we're in almost complete agreement then. As I said in my original post, some Android phones are going to have great support, some ok, some bad, and so on. Having an Android doesn't guarantee bad support, but neither does it guarantee good support! MY feeling is that -- like MS Windows -- Microsoft is going to get blamed, as the most visible party, for such issues, rather than HTC, Samsung, LG, etc. And thus the problem with fragmentation. There's the potential for bad experiences with one vendor

                    • by vux984 (928602)

                      And thus the problem with fragmentation. There's the potential for bad experiences with one vendor to sour the entire platform.

                      If there was a problem with webkit, we wouldn't buy it for a second if Microsoft tried to exploit the fact one vendor dropped the ball with updates to paint all the droids, and ios devices as a fragmented browser platform that was difficult to keep updated. Right?

                      Why do even entertain the notion that "Android fragmentation" is a "problem" in the first place? We should reject blaming

                    • That's true, however the key difference is visibility. Is it unfair that Microsoft is blamed for slowed down systems when it's vendors that install bundles of crapware from day one? Sure. Is it unfair that a bad experience with one Android device might sour somebody on other Android devices? I guess?

                      Additionally, here's a huge difference between a rendering engine that most people have never heard and is totally behind the scenes, and a highly marketed operating system and brand. Google is very much interes

              • What country are you in that requires people to sign a 3 year contract?

                Here in Australia, the standard contract is 24 months. Given that I tend to keep my handsets for about double that term, I'm happy enough with that...
            • Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.

              And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

              Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can

              • by vux984 (928602)

                No iPhone has ever had more than a two-year contract.

                "Fido, Rogers to offer iPhone with 3-year contracts"

                http://www.cbc.ca/technology/story/2008/06/12/fido-iphone.html [www.cbc.ca]

                From first hand experience:
                3 year contract, or you buy the phone outright.
                1 and 2 year contracts were not options.

                How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?

                It will never get -THAT- bad

                • Ok, I admit it, I had not heard Rodgers had three year contracts. I stand corrected. But I have not heard of three year contract lengths in any other country; I'm pretty sure that's an aberration and the original post said nothing about Canada, making the complaint sound generic.

                  I'd probably have to bite down an buy an unlocked phone before I went for a three year contract. That's pretty crazy. I can only hope Canadians got better iPhone prices as a result, but I doubt it.

              • You're assuming that the benevolent dictator model results in better security. But we have that in the desktop/laptop OS space in which Microsoft and Apple duke it out between them. Guess what - Apples track record of patching security flaws is absolutely atrocious. They have a reputation for leaving bugs unpatched for months. Microsoft do a lot better these days, but even then, there are so many exploits, and enough users who don't get the online updates, that the OS is a piece of Swiss cheese.

                Today, HTC/M

                • You're assuming that the benevolent dictator model results in better security.

                  No, I'm not. I'm assuming only that the "benevolent dictator" model is better at being able to deploy security patches. And that is true.

                  Better security results in a better security model, with appropriate layers. I personally think the iPhone has a slightly better base model than Android does - here we see the effects of fragmentation on being able to patch an issue, but beyond that the iPhone would not have this risk because t

            • by jrumney (197329)
              iOS 4.0 and 4.1 did not apply to the iPad either. Its past time for the Apple fanbois to drop the fragmentation non-argument.
        • by camperslo (704715)

          The Android platform is quite fragmented (many forks, without source available), because so many vendors have had so many different phones and they've generally all made CLOSED proprietary changes. The Apache license doesn't require the carriers to make their user-space code available to users or Google or anyone. (The Linux part is still GPLed, but that is only part of Android).

          http://arstechnica.com/old/content/2007/11/why-google-chose-the-apache-software-license-over-gplv2.ars [arstechnica.com]

          Users generally have crippl

        • by Stan92057 (737634)
          So,what else ya want? they are using a free FOSS and now you want then to patch it??? hahahahaha :} There goes that free theory
          • >free FOSS...

            and that constitutes the only part of your post that makes some sense.

            care to troll in a more refined way?

        • If I click on the update phone my Android phone fails to connect to the update site and demands that I wait another 24 hours to try.

          At least my service provider is very nearly the beginning of the American alphabet which should put my up-date first in the list.

          There are also a lot of files that normal permissions will not let me see to backup....

          At least I do not have my personal TSA full body scan images on the phone.

    • Re:linkbait (Score:5, Informative)

      by node 3 (115640) on Saturday November 27, 2010 @06:18PM (#34360860)

      Fragmentation affects the creation and distribution of the patch.

      • It could make it nearly impossible to patch, for off-brands that run Android.

      • luckily androidbis free/open source under apache licence. So even if HTC and the like don't publish their own fixes, you can expect to find up-too-date firmware from 3rd parties like Cyanogen.

        the only part i don't like is that replacing the firmware requires to root the phone. One shouldn't hack his/her *own* phone to replace free/libre open software !

        (i type that on a palm pre running a custom kernel,which was installed using nothing more than the officially doocumented "dev mode", no exploit required).

    • by bonch (38532)

      You're a fanboy. We know this because you obviously didn't even read the article, where your points are refuted. Instead, you didn't like that Android was being criticized, so you immediately posted an anonymous comment to dismiss the story as linkbait.

      I suspect you're one of the many anonymous posters who suddenly shows up in every article critical of Google or Google products.

  • by ciaran_o_riordan (662132) on Saturday November 27, 2010 @06:09PM (#34360806) Homepage

    "Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.

    TFA says Cannon gave Google prior warning, so this isn't zero-day, right?

    http://en.wikipedia.org/wiki/Zero-day_attack [wikipedia.org]

    I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.

  • Chester says:

    Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating syste

    • Re: (Score:3, Interesting)

      by bhtooefr (649901)

      But you do go to Microsoft and ask for Windows patches for your Dell or HP (or even for your iWhatever, if your iWhatever is an iMac, and you're running Windows on it.)

      This is a nightmare because you have to go to the company that sells you the gadget... and it can take months for the phone manufacturer to validate a new ROM for your phone based on Google's code, and then a few more months for your carrier to validate that ROM.

      • by bmo (77928)

        As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?

        How's that Windows Home Server goin' for ya?

        "ANDROID HAS BUGS! BE AFRAID! BE VERY AFRAID! FRAGMENTATION! FRAGMENTATION! BOO!"

        --
        BMO

        • Re: (Score:2, Insightful)

          As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?

          At least then you're only waiting on MS to get off it's ass, not MS and then the manufacturer..

          • Re: (Score:2, Informative)

            by F.Ultra (1673484)
            I cant recall a single windows phone on which I could install patches directly from Microsoft. Yes there where a Windows Update button but it always timed out after 15 minutes telling me that it couldn't connect and I still had to wait for the phome manufacturer to release the patch (if ever). This on SE phones, perhaps there where other winphones where this worked better?
      • by bjartur (1705192)

        One downloads updates from one's distro's repos. That will be Windows Update if you can't be bothered to choose an distro on your own.

    • by fuzzyfuzzyfungus (1223518) on Saturday November 27, 2010 @06:25PM (#34360910) Journal
      His point is arguably more valid for some types of problems than for others...

      Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.
    • You don't go to Apple and ask for Windows patches. You don't ask Windows to patch your iWhatever. Each company maintains its own patches. If the common point in between two devices happens to be Android, how can this be some kind of nightmare? It's SOP. The company that sells you the gadget gives you the patches. In short, so what?

      However, you do go to Microsoft for windows patches even when your laptop is made by Acer. That's the point he's making, in previous OS situations you would go to Google for the patch, but you can't, you have to go to the device manufacturer instead.

    • by Peganthyrus (713645) on Saturday November 27, 2010 @06:45PM (#34361022) Homepage

      So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.

      Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.

      That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.

      Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.

      Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.

      So tell me, why is this a problem?

      • by bjartur (1705192)

        That's why everything is standardized. That way you can patch your kernel and win32 and unix subsystems without braking your window manager and web browser.
        Imagine if OEMs bundled Opera and dwm with their hardware.

        I'm sorry, but if you've bought a computer that brakes horribly when you try to use it and make it execute code, you've been ripped off. Check if your warranty's expired.

    • Re: (Score:3, Informative)

      by PhrostyMcByte (589271)

      They just don't want to spend any more money on it. Android code gets released, then the OEM customizes it, and then the carrier finally customizes it. That's a lot of work -- the 10 or so current phones they've got out, plus their entire back catalog. They've already got your money. So long as it doesn't affect their network, why do they need to bother? It only takes one of the OEM or carrier to decide it's not important.

      Chester was entirely wrong about Windows Phone, too, unless he is confusing it wi

    • I wish people would learn what unique actually means.

  • by MillionthMonkey (240664) on Saturday November 27, 2010 @06:16PM (#34360848)
    Tired of Amazon S2 prices piling onto your organization's IT expenses? Thinking of running large distributed apps on your own equipment? We offer cloud computing services for cheap!

    Standard on-demand instances:
    Small (1000 Android cellphones): $0.05 per hour
    Large (5000 Android cellphones: $0.20 per hour
    Extra large: call

    Get a 10% discount if you sign up before zero day is over.
  • by jimpop (27817) * on Saturday November 27, 2010 @06:21PM (#34360888) Homepage Journal

    The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.

    • I suspect that they knew about it, in theoretical terms; but how do you respond to such knowledge? Asserting the amount of control needed to push quick patches to 3rd party embedded devices would make the 3rd parties run screaming. Delivering perfect software on anything resembling a budget isn't really a happening thing.

      It's sort of like knowing that you are going to die. The number of things you can do isn't zero; but you can never really "react usefully" to this knowledge because there just isn't anyt
      • by jimpop (27817) *

        > but how do you respond to such knowledge?

        You implement a Patch Tuesday solution, at least.

        • Re: (Score:3, Funny)

          by froggymana (1896008)

          Shouldn't they think outside of the box? Why not have a patch Monday so they can be one step ahead of microsoft?

        • "Patch Tuesday solution" basically implies "Asserting the amount of control needed to push quick patches to 3rd party embedded devices".

          Unfortunately, patching embedded devices is something of a problem industry wide: many of them are weird/customized enough that 1st party patching would be truly heroic, for any issues that aren't isolated near the top of the stack, and many of the 3rd parties who made them are basically uncaring, incompetent, or both. PCs, by contrast, are both fairly heavily standardiz
    • by Tacvek (948259)

      There is a very easy way to patch it. Don't let public pages redirect to "content://com.android.htmlfileprovider/*".

      While it is fully intended that public pages be able to access other content providers, there is no valid need for them to be able to access html files stored on the device, especially since local html files are trusted higher than public html files.

      In the attack, the server forces an html page to be downloaded by using an incorrect content-type. It then redirects to that local page via the co

    • If it hits big enough maybe the carriers will wake up and offer a stock image with all the various crap as add ons. Seriously, I don't want Sprint TV, or sprint Nascar's app. But I do want my few months old phone to be upgradable past 2.1.

      If enough pages hit that make it unusable then either the phone companies will have to push an update or give new phones to anyone claiming breach of contract.

    • And then there are those of us running AOSP ROMs like CyangoenMod who will likely have fixes on our phones in no time. Hopefully manufacturers see how well Open Source responds to issues like this and realize that what they are doing puts a lot of phones at risk by making the process so tedious for updates that they move from "releasing source code" to maintaining a Git/SVN server that regularly pulls in updates from their team as well as the Android trunk. I think TMobile is already moving towards this.
  • a free browser upgrade via the android market place? It's just a program like firefox is. I don't believe that HTC modifies the browser. Device drivers yes, but the browser? I could be wrong, I haven't looked at any of the code for the different manufacturers,
  • I don't see how downloading a file has anything to do with the exploit other than being a means to trigger file access Javascript.

    What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary

    • You mean Iphone users have similar problems as Android users? Wow, we should all convert over to wp7 then. It's so secure, it doesn't even have cut n paste. sorry for the sarcasm.
    • by TBBle (72184)

      What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?

      When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)

      But the actual data on the sdcard is completely open to all applications. It's basically a large dumping ground for data.

      The issue of this exploit is that you never need to grant anything permission to become vulnerable, whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.

      • When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)

        That's how I understood things from before...

        whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.

        Right, I can see an app needing to ask for access to be installed, possibly the SD card access - but who would think twice about granting that, if for no other reason than to store preferences?

        The

  • OH NO (Score:1, Troll)

    by AnAdventurer (1548515)
    The perfect phone OS has a security flaw!!! DOOM DOOM, it's DOOM!
  • Personally, I know I can get the latest fixes and updates fairly quickly, but that is only because I have rooted my phone and installed a few utilities and follow the updates and fixes provided by some pretty smart people. That's just about as up-to-date as I can hope to be. But that won't work for the rest of the users out there. They have to wait for a very long time, forever or even longer (such as never) before t-mobile, at&t, sprint or verizon to push out an update to fix a vulnerability. And w

  • Is it just me or android seems to be following microsoft path? wonder if there be a bsod for android in the near future lol
  • So what?
    I do not understand what makes this an "interesting piece of news"

    We see Windows security updates weekly.
    IOS? regularly.

    Is this some "special" weakness?

    • by robosmurf (33876)

      It's special because most Android phones are NOT getting a security update for the known flaw.

      • by mauriceh (3721)

        Most phones on most OS types do not get security updates.
        Not a function of the OS, and Is a function, or lack thereof, by the phone provider, who are usually the telco for wireless services.
        And their argument often is:
        "We provided the phone, as is, and "free" to you.
        We owe you nothing."

        Again, not unusual.

  • Good to know , thanks for sharing

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...