Android Security Issue: Malicious Websites Can Grab Anything on Your SDCard?

So in an effort to try and bring the appropriate attention to a security flaw found in the Android OS (at the request of some vigilant Android developers), I thought I’d do a quick post on it.

The security flaw in question isn’t a “dangerous Android trojan found” or some other scary outside thing that needs to be downloaded. Instead, it is actually a security issue inherit in Android itself according to the developers that found it.

Here is what the developer who discovered the flaw has to say about it in his own words:

“While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.

The vulnerability is present because of a combination of factors. I’ve been asked nicely to remove some details from the following section, and as my intention is to inform people about the risk, not about how to exploit users, I’ve agreed:

• The Android browser doesn’t prompt the user when downloading a file, for example"payload.html", it automatically downloads to /sdcard/download/payload.html
• It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
• When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
• While in this local context, the JavaScript is able to read the contents of files (and other data).

Then, once the JavaScript has the contents of a file it can post it back to the malicious website. This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort.

One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.

A demonstration of the proof of concept exploit in action can be seen in the video embedded below. The demo uses the Android emulator with Android 2.2 (Froyo) and I have also successfully tested it on an HTC Desire with Android 2.2. In the demo I first create a file on the SD card of the Android device, then I visit the malicious page and it grabs the file and uploads it to the server automatically.”

Android Data Stealing Vulnerability from Thomas Cannon on Vimeo.

So it doesn’t seem like a huge security issue considering the website would have to know the file name and path of the exact file they want to steal (the only super predictable files I can think of, that the developer mentioned, are picture files and some applications with consistent names etc.).

Also, the developer goes on to point out that the Android development team already has responded and has a security patch in place that they have yet to release.

The concern here is that with the amount of time it takes for the manufacturers to release Android updates (if they do at all for your device means that a lot of devices will be vulnerable for a long time to come. The developer would like to share the following guidelines in the meantime to help users protect themselves from such attacks until an update can be applied, the main one being the first one:

“Better that we know now and have the chance to protect ourselves, or at least understand the risk. I don’t expect to see the exploitation of this issue become widespread, but if you are really worried about it there are a few things you can do to identify it or prevent it:

• When the payload is downloaded it generates a notification in the notification area, so watch for any suspicious automatic downloads. It shouldn’t happen completely silently.
• You can disable JavaScript in the browser (uncheck “Settings > Enable JavaScript”)
• You can use a browser such as Opera Mobile for two reasons: 1) It prompts you before downloading the payload 2) If a vulnerability is found you can easily update a 3rd party browser after they release a fix.
• Google have advised that another option is to unmount the SD card (“Settings > SD & phone storage”). This could have an impact on the usability of the device but for some situations, perhaps in organisations, I can see this could work. It has not been fully tested, however.”

Also, one should note, that apparently A LOT OF CUSTOM ROMs (those flashed after rooting your phone) are NOT effected by this flaw. So one more reason to root your phone and load a custom ROM, no?

So this issue seems to boil down to the slow speed at which updates are coming out more so than the security flaw itself. Considering the Android team already has a patch in place (which could be the new security update Nexus S’ saw not too long ago) it seems to be solved already. The real issue is the speed at which manufacturer’s send out updates (and the fact that they even abandon updating certain devices entirely, security patches included).

UPDATE (01.31.11) – It would seem that this issue is NOT fixed in Android 2.3 (Gingerbread) which would mean no stock ROM is safe, so please just be careful when visiting sits and look for the above symptoms.

Thoughts, anyone?

Thanks Pulser at VillainROM for sending this in!
Source