The sky!  It's falling!

Back before Thanksgiving, we reported about an Android security flaw in the stock web browser that allowed an attacker to get contents of your SD card if he or she knew the full path to the files.  That flaw was fixed in Gingerbread, and all was well with the world blogosphere.  But, lo and behold, someone has found a way to work around the new patch, and the Gingerbread browser is just as vulnerable (with a different method) as before the patch.

And we're still not worried.

Yes, this needs to be addressed.  Yes, you're likely going to have issues getting any patch because your carrier and manufacturer will be involved to help slow down the process.  But let's put things in perspective a bit.  The Android browser allows for file downloads and javascript execution -- it wouldn't be much of a browser without those features.  Android also gives us an unsecure place to store files -- the SD card (or equivalent).  If you go to a website, and click a link, some code can be run that looks for files by name and can pull them from your card.  If it doesn't know the name, it doesn't find the files.

That's the most important part to remember.  Regardless of the FUD that is being spouted (Android is the world's most popular phone operating system, and any mention of it gets you massive pageviews) rogue websites likely aren't dipping into the database of your banking app and stealing your financial information.  That shouldn't even be stored on your SD card, as it should all be secure data.

They can, however, steal the pictures on your SD card -- the ones you took with your phone, left with the default name, and in the default location, but again -- only if the full path and file name is known.  Google will patch this, and someone will find a way around that patch as well.  Regardless of what some folks would like you to believe, no software is 100 percent secure.  And chances are, you'll lose your phone before you stumble across a website designed to steal your pictures, so anything on your card is fair game then.

There are three easy ways to avoid the problem -- switch browsers to something that's not open source, stop using the SD storage, or pay attention to what you keep on the card.  Your SD card was designed to be unsecure, and easy to access, so it is.  [NC State University]

 
There are 30 comments

Bla1ze says:

Soo.. I don't need to wipe my porn? Phew! Thanks Jerry!

billybaldin says:

I think I would be more afraid of rogue websites. As opposed the the "rouge" websites..:) I'm just saying.. Thanks Jerry!

But the spell checker said it was OK! lol

Thanks

Dperks17 says:

Even if I use dolphin browser?

Balthazar B says:

If Gingerbread lets me encrypt the local storage, problem (mostly) eliminated.

BTW, this is the most pressing issue for Android becoming accepted as a mobile solution by business...

rmunn says:

Switch browsers to something that's not open source? Bad idea -- that will reduce your security, not increase it.

The standard way to find security holes is not to read the source, but to try various attack techniques (code injection, buffer overflows, input fuzzing, etc) and see what works. This can be done against open- and closed-source programs equally well.

Once you find a security hole, then you have to fix it, and THAT's where the open-source world has the advantage. In the closed-source world, only the company that owns the software can fix the bug, because they're the only ones who have the source code. That means anywhere from one (single developer) to a thousand-plus people (major corporations) have the access required to fix the bug. In the open-source world, though, EVERYONE who uses the program also has the access required to fix the bug. Not everyone has the skills, of course, but anyone who does have the skills also had the tools needed. Result: bugs get fixed more quickly, once found, in the open-source world than in the closed-source world.

In short: Open-source software has a security advantage that closed-source will never have, because its bugs get fixed faster.

(Of course, in the Android world, the carriers can take ages to get that bugfix to you...)

But -- and it's a big but -- in this case the people finding these exploits are taking the lazy route, and using the source code to help. Third party browsers aren't affected, and probably won't be, unless they are FOSS like FFM or Opera. Using something like Dolphin HD will keep you safe from this exploit.

TuxDotKing says:

Is Opera open source? I know that it's a popular browser among Linux users, yet I always thought that all of its versions were proprietary.

Also, it seems that open source isn't always the most secure (as you mentioned) when the software isn't updated. Considering that the Browser is one of the most common attack vectors and most used app on a system; why doesn't Google provide updates to it through the market? I know that Sense and some others skin/modify it, but at least the phones that use an unmodified version of it could upgrade it and those that don't could install it from the market for the benefit of regular fixes and updates from AOSP.

Grimmy says:

I see where you are coming from Jerry, but Internet Explorer had this same issue for nearly a year without being patched (except replace SD Card with your entire hard disc contents) - that's famously open source isn't it? :P

Linux64 says:

Security matters. Just because we are all Android fans doesn't mean Google gets a free pass.

Your post is a disservice to Android users.

"Your SD card was designed to be unsecure, and easy to access, so it is" -- The mind boggles at such a stupid statement.

Don't be a fool, many, many apps use hard coded filenames and paths for file that can contain sensitive information.

Name me one, so I know which apps to avoid. Any developer who stores sensitive information on removable storage, or storage that can be unmounted at runtime needs to be avoided at all costs.

SD storage is insecure by design. The Fstab wasn't written the way it is by mistake.

Bla1ze says:

This also why so many developers offer/create/sell software for encryption. They know it wasn't meant to be secure but they want to make it that way.

Linux64 says:

"Name me one"

qik/Qik.ini

There are over 200,000 apps in the market, you have not audited them all to ensure they don't store sensitive data in hard coded filenames.

Your post is flawed in so many respects it's embarrassing.

* Claiming that apps don't store sensitive data on the SD card when there are trivial examples of exactly that and you haven't audited all the apps in order to make that claim based on evidence.

* Claiming that as long as you don't advertise your full path names you are safe when many apps use hardcoded paths and filenames

* Ignoring the fact that Javascript can rapidly brute force file names matching common patterns (see Sipdroid/* for example)

* Claiming that SD is somehow more insecure than another type of media storing your bits when SD has nothing to do with this browser/javascript flaw.

* Claiming "switch browsers to something that's not open source" which is so incredibly wrong it betrays your ignorance. The accurate statement would be "switch browsers to something not using WebKit's Javascript engine". Open source has nothing to do with it, FireFox for Android isn't susceptible for example. Most of the "browsers" (even closed source) in the market are simply different UIs on top of the vulnerable WebKit.

I stand by my claim that your post is a dangerous, misleading, misinformed, and a factly incorrect disservice to Android users.

You should fix your article.

You seem to think that application developers who store sensitive data on storage that was not designed to be secure aren't to blame for your examples?

Google places no personal/sensitive data on your SD card. They make no recommendations that others should do this. They give thorough documentation how data can be stored securely, if developers have a need, and it's not to drop it on removable and insecure media.

Wipe your phone. Don't install any third party applications. Now find sensitive data with a hardcoded path that this can exploit. That is how Android is designed. Nothing sensitive should be stored on removable storage, because in it's current form, Android does not attempt to secure any data on the removable storage. If Qik does this anyway, then point the finger at them. Maybe this will change in future versions, maybe not -- but it is what it is. This popular idea that Google needs to be responsible for everything other parties do because they wrote and released Android is the real disservice. It's there, it's free, and it works a certain way.

To add, Qik has an easy way to fix their issue -- move the sensitive data to the sandbox. If they haven't done so in the 6 months that this exploit has been known, I would think their customers deserve a reason why.

And sorry if it hurts your feelings, but when attackers are looking at the source to find exploits, as in this case, the easy fix for anyone who isn't capable of building gpg for ARM is to use one of the many browsers on the market who don't share their code, and are (as of now) unaffected. Open source does not equal better, it only equals open.

callderek#AC says:

I'm about 5 months new to Android via my Evo, but has Gingerbread been pushed out? Or do you have to be rooted...

Davest says:

I disagree. How difficult would it be to create an app that has access to personal information, then proceeds to save the information to a hard-coded file name and steer you to a website that can upload your information?

The bigger issue, though, is Android's lack of data encryption. IMHO, this should be the number one priority of the Android team.

The /data partition isn't wholly readable unless you are root. Androids sandbox model only gives applications access to their own data, other requests have to go through the OS.

If I were to write such an app, before you installed it you would see exactly what data I am attempting to gain access to. If you chose to install it anyway, the blame then points to the user.

Davest says:

But it would be very easy to bury malicious code in an app that also has a "legitimate" reason to access Network Communication and Storage. You grant the access because it makes sense based on the surface function of the app, allowing the real function to go on in the background.

I think it does a disservice to your readers to minimize this very real issue.

Conan Kudo says:

What's ironic about the statement "Your SD card was designed to be unsecure..." is that SD actually is an acronym for "Secure Digital". While it is true that SD wasn't designed for security (in fact, the reason SD claims to be secure is because it has a write-protect switch), Android itself could make secure by offering whole disk storage encryption. Now that Linux distros have been adopting it for the last year, Android can bring it to the mobile platform relatively easily...

mattchew86 says:

Why is everyone so worried about browser flaws for an OS that's not even out yet?

mrw333 says:

Others have reported (http://www.androidpolice.com/2011/01/29/yet-another-android-data-stealin...) that all versions of Android are affected by this bug. It wasn't mentioned in this post. In any case, the real problem seems to be that because the browser is only updated with the OS it will be difficult for Google to get a patch to most of its users given the slow or non-existent reaction of manufacturers and carriers to Android OS updates.

sleepy#AC says:

Jerry, where did you get that picture? That cat can't be yours. That is too funny.

chafedbm says:

Love the picture!

allie0 says:

I suppose Google has found a fix for this and will be updating it in the next maintenance update. Till that time Gingerbread users needs to be careful with their browsing. Regards, Allie @ Android Development

Dark_Blu says:

Blah blah blah. Which phones have Gingerbread? Nexus S? So point that out in the article and the rest of us who could not get a Nexus S at a Best Buy when launched, aren't concerned. EVO didn't come with it, haven't rooted it.

callderek#AC says:

I agree. Big freakin deal, gingerbread can (seemingly) only be achieved if you've rooted....maybe for good reason? Jeez.

sookster54 says:

There's plenty of dumped Gingerbread ROMs for several phones, Nesus S is official but look over on XDA, the Desire has about 6 or 7 of Gingerbread ROMs alone.

sookster54 says:

Don't be so quick to dismiss this, what if you have a plus version of LauncherPro, if you backed up your LPP settings it'll be in /sdcard/launcherpro_backup, I myself keep that for when I switch ROMs and I wouldn't have to punch in my LauncherPro plus code in everytime.

But it's stuff like that which are on your SD that the attacker could consider. Especially the clockworkmod backups.

Dark_Blu says:

I don't use Launcher pro, phone isn't rooted, no custom roms. There's nothing on my phone or SD card that is "classified", so I'm not concerned.

whippingboy says:

Just out of curiosity- does either Blackberry or iphone have the same potential issues? If android want to outdo either company- they need the support of the corporate IT folks- and with security issues like this and a cavalier attitude of major Android editors that it's "not a problem" IT folks will forever laugh and point out there's no room to consider Android a viable platform for the workplace because Androids' priorities aren't on security.

So I should consider my phone open to the public then, but no reason to be concerned? Sorry- but that's plain absurd. Phones are just as personal as your home computer- and for some people becoming more personal than their home PC even! To tell people they shouldn't EXPECT more from Android as a platform is ridiculous.