14 DAY TRIAL // A flaw affecting the default Android browser allows remote attackers to steal data from smartphones, as long as they know the location of targeted files on the SD cards.
The security issue was discovered by a pen tester named Thomas Cannon while he was assessing the security of an application, and according to him, it's the result of a combination of factors.
First of all, the default Android browser doesn't prompt users when downloading an .html file. A notification is generated in the notification area, but the action itself doesn't require approval.
In addition, JavaScript can be used to automatically open the downloaded file, causing it to be parsed in the context of the local storage.
The same origin policy normally prevents code from accessing remote resources, but since this file is rendered locally, the restriction does not apply.
"While in this local context, the JavaScript is able to read the contents of files (and other data)," Cannon explains. This information can then be sent back to the remote server.
The attackers need to know the exact name and location of the targeted files, but some applications always store data in the same place. For example, camera pictures are saved with consistent names that can be determined in advance.
The vulnerability was reported to Google last Friday and the company plans to include a fix for it in the first maintenance release of the upcoming Android 2.3 (Gingerbread).
However, since most device manufacturers handle Android updates on their own, usually in an untimely fashion, it will probably take a long time until many phone models will get a patch.
Because of this, Cannon, who is normally an adept of responsible disclosure, has decided to make the issue public now in order to give users a heads up.
Possible mitigation solutions include disabling JavaScript in the browser under "Settings > Enable JavaScript," not using an SD card, or switching to a different browser like Opera Mobile. For many reasons, the alternative browser solution is the most practical one.