Back before Thanksgiving, we reported about an Android security flaw in the stock web browser that allowed an attacker to get contents of your SD card if he or she knew the full path to the files. That flaw was fixed in Gingerbread, and all was well with the world blogosphere. But, lo and behold, someone has found a way to work around the new patch, and the Gingerbread browser is just as vulnerable (with a different method) as before the patch.
And we're still not worried.
Yes, this needs to be addressed. Yes, you're likely going to have issues getting any patch because your carrier and manufacturer will be involved to help slow down the process. But let's put things in perspective a bit. The Android browser allows for file downloads and javascript execution -- it wouldn't be much of a browser without those features. Android also gives us an unsecure place to store files -- the SD card (or equivalent). If you go to a website, and click a link, some code can be run that looks for files by name and can pull them from your card. If it doesn't know the name, it doesn't find the files.
That's the most important part to remember. Regardless of the FUD that is being spouted (Android is the world's most popular phone operating system, and any mention of it gets you massive pageviews) rogue websites likely aren't dipping into the database of your banking app and stealing your financial information. That shouldn't even be stored on your SD card, as it should all be secure data.
They can, however, steal the pictures on your SD card -- the ones you took with your phone, left with the default name, and in the default location, but again -- only if the full path and file name is known. Google will patch this, and someone will find a way around that patch as well. Regardless of what some folks would like you to believe, no software is 100 percent secure. And chances are, you'll lose your phone before you stumble across a website designed to steal your pictures, so anything on your card is fair game then.
There are three easy ways to avoid the problem -- switch browsers to something that's not open source, stop using the SD storage, or pay attention to what you keep on the card. Your SD card was designed to be unsecure, and easy to access, so it is. [NC State University]
