Slashdot Mirror
Security Expert Warns of Android Browser Flaw
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
On iOS, vulnerabilities are only used for jailbreaks.
I'm still waiting for a NetFront browser crash that will let me Jailbrake my Sony Mylo2.
I hate when I'm not allowed to run even my software on discontinued and obsolete Internet Devices.
1. Have to know full path to a file to view it.
2. Have to download a file, presumably from someone you don't know and trust.
3. This is in all browser versions, so how exactly does fragmentation factor in?
Like everything else, buzzwords like Android fragmentation guarantee hits.
"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.
TFA says Cannon gave Google prior warning, so this isn't zero-day, right?
http://en.wikipedia.org/wiki/Zero-day_attack
I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.
Expert in software patents or patent law? Contribute to the ESP wiki!
Chester says:
Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating system to meet their needs.
This sounds like a good thing, right? It is awesome if you are a consumer and want the maximum amount of choice and flexibility. The problem comes in when you have to patch or maintain the software that drives these devices when they only have the most basic components in common. This is the security nightmare that Android is beginning to face. Every device on every carrier has a slightly unique configuration that requires that phone's manufacturer and carrier to update its software independent of what Google may have provided.
My question is, why is that a problem?
You don't go to Apple and ask for Windows patches. You don't ask Windows to patch your iWhatever. Each company maintains its own patches. If the common point in between two devices happens to be Android, how can this be some kind of nightmare? It's SOP. The company that sells you the gadget gives you the patches. In short, so what?
Weaselmancer
rediculous.
Tired of Amazon S2 prices piling onto your organization's IT expenses? Thinking of running large distributed apps on your own equipment? We offer cloud computing services for cheap!
Standard on-demand instances:
Small (1000 Android cellphones): $0.05 per hour
Large (5000 Android cellphones: $0.20 per hour
Extra large: call
Get a 10% discount if you sign up before zero day is over.
The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.
Just because there's only one vendor for the iOS does not mean Apple is fixing every bug as it shows up.
a free browser upgrade via the android market place? It's just a program like firefox is. I don't believe that HTC modifies the browser. Device drivers yes, but the browser? I could be wrong, I haven't looked at any of the code for the different manufacturers,
It could make it nearly impossible to patch, for off-brands that run Android.
---- Booth was a patriot ----
I don't see how downloading a file has anything to do with the exploit other than being a means to trigger file access Javascript.
What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?
If so, fixing the browser alone is not necessarily a fix though certainly a great improvement.
Fragmentation is at issue not so much in the vulnerability, as in the patch - because all sorts of vendors have different update schedules it's going to take a while for a fix to propagate everywhere and may never reach some older devices like the G1 (and to be fair iOS has that issue currently with the original iPhone and the PDF flaw, which you must jailbreak to fix).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You mean Iphone users have similar problems as Android users? Wow, we should all convert over to wp7 then. It's so secure, it doesn't even have cut n paste. sorry for the sarcasm.
The perfect phone OS has a security flaw!!! DOOM DOOM, it's DOOM!
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
I wish people would learn what unique actually means.
What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?
When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)
But the actual data on the sdcard is completely open to all applications. It's basically a large dumping ground for data.
The issue of this exploit is that you never need to grant anything permission to become vulnerable, whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.
Paul "TBBle" Hampson
Paul.Hampson@Pobox.Com
Nobody uses the stock web browser.
When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)
That's how I understood things from before...
whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.
Right, I can see an app needing to ask for access to be installed, possibly the SD card access - but who would think twice about granting that, if for no other reason than to store preferences?
The question I had is if from there, if an application has those permissions, if it can see any application data from other applications that resides on the SD card. I thought not (thought all app data would be part of individual mounts) but if it can be done, that seems like an awfully big opening for apps to secretively mine all kinds of information from a user.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Personally, I know I can get the latest fixes and updates fairly quickly, but that is only because I have rooted my phone and installed a few utilities and follow the updates and fixes provided by some pretty smart people. That's just about as up-to-date as I can hope to be. But that won't work for the rest of the users out there. They have to wait for a very long time, forever or even longer (such as never) before t-mobile, at&t, sprint or verizon to push out an update to fix a vulnerability. And what's more, they will never acknowledge a vulnerability but will instruct their support people to run you through ridiculous paces and eventually ask you to exchange the phone for a refurb even though the problem will undoubtedly be software.
This is all typical behavior from carriers because keeping firmware or software up-to-date is not something they have EVER done. Doing so now would be very unusual.
He did well it appears thusfar.
I say that, because this is the 2nd ANDROID security hole I've heard about in this one, & the other was at most a week ago also.
I also formerly recall ANDROID code in the kernel being part of the normal family distros you see here http://distrowatch.com/ usually, but I have recently heard it was gone now for awhile!
So... Per my subject above, maybe this is for the best, as again, this the 2nd security hole I have seen in ANDROID this past 2 weeks now in fact as I stated above...
APK
P.S.=>
"Fragmentation affects the creation and distribution of the patch." - by node 3 (115640)
on Saturday November 27, @06:18PM (#34360860)
Security also, per the above, @ least lately...
However, this DOES show you "Pro-*NIX" Penguins out there that yes, Linux can & does have "holes" in it, especially when its changed/ported (etc./et al, you know what I mean, in comparing ANDROID to other LINUX kernel builds)... apk
Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can be patched by jailbreaking, which happened within a few days of the PDF exploit.
Given most people had to sign a 3
No iPhone has ever had more than a two-year contract.
But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage.
Right, because the fact this vulnerability will take months to fix for 80% of Android users vs. something like it days to fix for 80% of iOS users, means nothing. Sure, you just keep saying that.
If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??
In some ways, yes, because then they would each be on the hook to fix vulnerabilities, or not even have them with so many diverse implementations. But the simple truth is that they ALSO would have been better using Android in a way that Google would be the one pushing updates for things like the browser. That would have been the sane model, but Google decided to bow to the will of carriers and device makers and let them have all the control over updates.
If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores.
How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?
The real issue with fragmentation is that you don't HAVE Android anymore, all you have are variants with Android at the core.
Thank god we don't have 20 apples. One is quite enough.
Unfortunately, the market and consumers really need two but Google decided to take themselves out of the running; with any luck Microsoft has learned and can be the Other Apple.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If it hits big enough maybe the carriers will wake up and offer a stock image with all the various crap as add ons. Seriously, I don't want Sprint TV, or sprint Nascar's app. But I do want my few months old phone to be upgradable past 2.1.
If enough pages hit that make it unusable then either the phone companies will have to push an update or give new phones to anyone claiming breach of contract.
Is it just me or android seems to be following microsoft path? wonder if there be a bsod for android in the near future lol
So what?
I do not understand what makes this an "interesting piece of news"
We see Windows security updates weekly.
IOS? regularly.
Is this some "special" weakness?
Maurice W. Hilarius Voice: (778) 347-9907
Good to know , thanks for sharing
Apps like the browser are planned to become normal apps soon, which can easily be updated via Android Market. So hopefully problems like this will be less dramatic in the future.
If I click on the update phone my Android phone fails to connect to the update site and demands that I wait another 24 hours to try.
At least my service provider is very nearly the beginning of the American alphabet which should put my up-date first in the list.
There are also a lot of files that normal permissions will not let me see to backup....
At least I do not have my personal TSA full body scan images on the phone.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
for the last time : Linux is a kernel.
this bug isn't in the kernel. Linux isn't afected.
this bug isn't even in the GNU userland which is used in most distribution (and which android lacks as it relies on busybix instead)
this bug is in the browser, which has nothing to do with your regular distributions. At most, it's a distant cousin from Chrome (another browser done by google) and perhaps Webkit (the frame work used by all browsers by Google, Apple and KDE)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
luckily androidbis free/open source under apache licence. So even if HTC and the like don't publish their own fixes, you can expect to find up-too-date firmware from 3rd parties like Cyanogen.
the only part i don't like is that replacing the firmware requires to root the phone. One shouldn't hack his/her *own* phone to replace free/libre open software !
(i type that on a palm pre running a custom kernel,which was installed using nothing more than the officially doocumented "dev mode", no exploit required).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]