Pages

Thursday, November 25, 2010

Google's Android is defected

Thomas Cannon (UK-based security consultant) has identified a major security flaw in Google's Android operating system. This exploit works at all the versions of this platform, and could allow an attacker to view, and copy files from a device's SD card. Some of the important details are being held back by Cannon so Google has a chance to fix the exploit.

A malicious website causes the browser to download a specially coded HTML file to the phone's SD card. Once there, the file is executed by JavaScript running on the site. When this HTML file is run locally, it is able to run JavaScript without user consent. An attacker can use this scripting access to copy files from the SD card.

This is not, as far as anyone knows, being actively exploited anywhere. There are some apps that always store important files in identical directories when installed, so it is possible an attacker could know where some files are kept. It is unclear what Google will do about this. All Android phones are affected. Will manufacturers and carriers be willing to push out updates even for older phones!

No comments:

Post a Comment