The sky!  It's falling!

Back before Thanksgiving, we reported about an Android security flaw in the stock web browser that allowed an attacker to get contents of your SD card if he or she knew the full path to the files.  That flaw was fixed in Gingerbread, and all was well with the world blogosphere.  But, lo and behold, someone has found a way to work around the new patch, and the Gingerbread browser is just as vulnerable (with a different method) as before the patch.

And we're still not worried.

Yes, this needs to be addressed.  Yes, you're likely going to have issues getting any patch because your carrier and manufacturer will be involved to help slow down the process.  But let's put things in perspective a bit.  The Android browser allows for file downloads and javascript execution -- it wouldn't be much of a browser without those features.  Android also gives us an unsecure place to store files -- the SD card (or equivalent).  If you go to a website, and click a link, some code can be run that looks for files by name and can pull them from your card.  If it doesn't know the name, it doesn't find the files.

That's the most important part to remember.  Regardless of the FUD that is being spouted (Android is the world's most popular phone operating system, and any mention of it gets you massive pageviews) rogue websites likely aren't dipping into the database of your banking app and stealing your financial information.  That shouldn't even be stored on your SD card, as it should all be secure data.

They can, however, steal the pictures on your SD card -- the ones you took with your phone, left with the default name, and in the default location, but again -- only if the full path and file name is known.  Google will patch this, and someone will find a way around that patch as well.  Regardless of what some folks would like you to believe, no software is 100 percent secure.  And chances are, you'll lose your phone before you stumble across a website designed to steal your pictures, so anything on your card is fair game then.

There are three easy ways to avoid the problem -- switch browsers to something that's not open source, stop using the SD storage, or pay attention to what you keep on the card.  Your SD card was designed to be unsecure, and easy to access, so it is.  [NC State University]

 

Reader comments

Gingerbread web browser security flaw exposed, and explained (us, worry?)

30 Comments

I think I would be more afraid of rogue websites. As opposed the the "rouge" websites..:) I'm just saying.. Thanks Jerry!

If Gingerbread lets me encrypt the local storage, problem (mostly) eliminated.

BTW, this is the most pressing issue for Android becoming accepted as a mobile solution by business...

Switch browsers to something that's not open source? Bad idea -- that will reduce your security, not increase it.

The standard way to find security holes is not to read the source, but to try various attack techniques (code injection, buffer overflows, input fuzzing, etc) and see what works. This can be done against open- and closed-source programs equally well.

Once you find a security hole, then you have to fix it, and THAT's where the open-source world has the advantage. In the closed-source world, only the company that owns the software can fix the bug, because they're the only ones who have the source code. That means anywhere from one (single developer) to a thousand-plus people (major corporations) have the access required to fix the bug. In the open-source world, though, EVERYONE who uses the program also has the access required to fix the bug. Not everyone has the skills, of course, but anyone who does have the skills also had the tools needed. Result: bugs get fixed more quickly, once found, in the open-source world than in the closed-source world.

In short: Open-source software has a security advantage that closed-source will never have, because its bugs get fixed faster.

(Of course, in the Android world, the carriers can take ages to get that bugfix to you...)

But -- and it's a big but -- in this case the people finding these exploits are taking the lazy route, and using the source code to help. Third party browsers aren't affected, and probably won't be, unless they are FOSS like FFM or Opera. Using something like Dolphin HD will keep you safe from this exploit.

Is Opera open source? I know that it's a popular browser among Linux users, yet I always thought that all of its versions were proprietary.

Also, it seems that open source isn't always the most secure (as you mentioned) when the software isn't updated. Considering that the Browser is one of the most common attack vectors and most used app on a system; why doesn't Google provide updates to it through the market? I know that Sense and some others skin/modify it, but at least the phones that use an unmodified version of it could upgrade it and those that don't could install it from the market for the benefit of regular fixes and updates from AOSP.

I see where you are coming from Jerry, but Internet Explorer had this same issue for nearly a year without being patched (except replace SD Card with your entire hard disc contents) - that's famously open source isn't it? :P

Security matters. Just because we are all Android fans doesn't mean Google gets a free pass.

Your post is a disservice to Android users.

"Your SD card was designed to be unsecure, and easy to access, so it is" -- The mind boggles at such a stupid statement.

Don't be a fool, many, many apps use hard coded filenames and paths for file that can contain sensitive information.

Name me one, so I know which apps to avoid. Any developer who stores sensitive information on removable storage, or storage that can be unmounted at runtime needs to be avoided at all costs.

SD storage is insecure by design. The Fstab wasn't written the way it is by mistake.

This also why so many developers offer/create/sell software for encryption. They know it wasn't meant to be secure but they want to make it that way.

"Name me one"

qik/Qik.ini

There are over 200,000 apps in the market, you have not audited them all to ensure they don't store sensitive data in hard coded filenames.

Your post is flawed in so many respects it's embarrassing.

* Claiming that apps don't store sensitive data on the SD card when there are trivial examples of exactly that and you haven't audited all the apps in order to make that claim based on evidence.

* Claiming that as long as you don't advertise your full path names you are safe when many apps use hardcoded paths and filenames

* Ignoring the fact that Javascript can rapidly brute force file names matching common patterns (see Sipdroid/* for example)

* Claiming that SD is somehow more insecure than another type of media storing your bits when SD has nothing to do with this browser/javascript flaw.

* Claiming "switch browsers to something that's not open source" which is so incredibly wrong it betrays your ignorance. The accurate statement would be "switch browsers to something not using WebKit's Javascript engine". Open source has nothing to do with it, FireFox for Android isn't susceptible for example. Most of the "browsers" (even closed source) in the market are simply different UIs on top of the vulnerable WebKit.

I stand by my claim that your post is a dangerous, misleading, misinformed, and a factly incorrect disservice to Android users.

You should fix your article.

You seem to think that application developers who store sensitive data on storage that was not designed to be secure aren't to blame for your examples?

Google places no personal/sensitive data on your SD card. They make no recommendations that others should do this. They give thorough documentation how data can be stored securely, if developers have a need, and it's not to drop it on removable and insecure media.

Wipe your phone. Don't install any third party applications. Now find sensitive data with a hardcoded path that this can exploit. That is how Android is designed. Nothing sensitive should be stored on removable storage, because in it's current form, Android does not attempt to secure any data on the removable storage. If Qik does this anyway, then point the finger at them. Maybe this will change in future versions, maybe not -- but it is what it is. This popular idea that Google needs to be responsible for everything other parties do because they wrote and released Android is the real disservice. It's there, it's free, and it works a certain way.

To add, Qik has an easy way to fix their issue -- move the sensitive data to the sandbox. If they haven't done so in the 6 months that this exploit has been known, I would think their customers deserve a reason why.

And sorry if it hurts your feelings, but when attackers are looking at the source to find exploits, as in this case, the easy fix for anyone who isn't capable of building gpg for ARM is to use one of the many browsers on the market who don't share their code, and are (as of now) unaffected. Open source does not equal better, it only equals open.

I disagree. How difficult would it be to create an app that has access to personal information, then proceeds to save the information to a hard-coded file name and steer you to a website that can upload your information?

The bigger issue, though, is Android's lack of data encryption. IMHO, this should be the number one priority of the Android team.

The /data partition isn't wholly readable unless you are root. Androids sandbox model only gives applications access to their own data, other requests have to go through the OS.

If I were to write such an app, before you installed it you would see exactly what data I am attempting to gain access to. If you chose to install it anyway, the blame then points to the user.

But it would be very easy to bury malicious code in an app that also has a "legitimate" reason to access Network Communication and Storage. You grant the access because it makes sense based on the surface function of the app, allowing the real function to go on in the background.

I think it does a disservice to your readers to minimize this very real issue.

What's ironic about the statement "Your SD card was designed to be unsecure..." is that SD actually is an acronym for "Secure Digital". While it is true that SD wasn't designed for security (in fact, the reason SD claims to be secure is because it has a write-protect switch), Android itself could make secure by offering whole disk storage encryption. Now that Linux distros have been adopting it for the last year, Android can bring it to the mobile platform relatively easily...

I suppose Google has found a fix for this and will be updating it in the next maintenance update. Till that time Gingerbread users needs to be careful with their browsing. Regards, Allie @ Android Development

Blah blah blah. Which phones have Gingerbread? Nexus S? So point that out in the article and the rest of us who could not get a Nexus S at a Best Buy when launched, aren't concerned. EVO didn't come with it, haven't rooted it.

I agree. Big freakin deal, gingerbread can (seemingly) only be achieved if you've rooted....maybe for good reason? Jeez.

There's plenty of dumped Gingerbread ROMs for several phones, Nesus S is official but look over on XDA, the Desire has about 6 or 7 of Gingerbread ROMs alone.

Don't be so quick to dismiss this, what if you have a plus version of LauncherPro, if you backed up your LPP settings it'll be in /sdcard/launcherpro_backup, I myself keep that for when I switch ROMs and I wouldn't have to punch in my LauncherPro plus code in everytime.

But it's stuff like that which are on your SD that the attacker could consider. Especially the clockworkmod backups.

I don't use Launcher pro, phone isn't rooted, no custom roms. There's nothing on my phone or SD card that is "classified", so I'm not concerned.

Just out of curiosity- does either Blackberry or iphone have the same potential issues? If android want to outdo either company- they need the support of the corporate IT folks- and with security issues like this and a cavalier attitude of major Android editors that it's "not a problem" IT folks will forever laugh and point out there's no room to consider Android a viable platform for the workplace because Androids' priorities aren't on security.

So I should consider my phone open to the public then, but no reason to be concerned? Sorry- but that's plain absurd. Phones are just as personal as your home computer- and for some people becoming more personal than their home PC even! To tell people they shouldn't EXPECT more from Android as a platform is ridiculous.