Android data flaw risks users' data

By on
Android data flaw risks users' data

Google failed to act to fix flaw.

A US-based researcher has discovered a flaw in the latest iteration of Android, which could see user data stolen.

A Gingerbread user could have their device compromised by clicking on a malicious link, discovered Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.

The original vulnerability was supposed to have been patched in Android 2.3, yet there was still a way to bypass the fix, the researcher claimed.

“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone,” Jiang said in his report.

In attempting to hack the device, the researchers found they could read and even upload contents of files, including photos and voicemails, as long as they were installed on the phone’s SD card and the precise filename was known.

Jiang has been in touch with the Google Android Security Team and said the OS creator had taken the issue seriously, confirming a fix would be issued by the next major release of Android at the latest.

“From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay,” Jiang said.

“Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the SD card and a limited number of others).”

Until a fix has been issued, Jiang offered a number of ways to prevent exploitation of the vulnerability.

“For example, we can temporarily disable Javascript support in the Android browser or switch to a third-party browser for the time being,” he added.

“Users are also encouraged to be cautious when viewing unfamiliar websites.”

A Google spokesman said it had "incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone."

"We're in communication with our partners," the spokesperson added.

Gingerbread was only announced in November 2010 and featured in the Nexus S, which was released just before Christmas.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © ITPro, Dennis Publishing

Most Read Articles

Log In

  |  Forgot your password?