New Android Exploit Discovered To Steal Data

mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."

Market updates?

[ace123]

<rant>
Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)

Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?

Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?

Google, are you serious? </rant>

. /me updates Firefox with the hope of getting a less buggy version