Android 2.3 Shows Security Bug, Can Gain Access To Content On microSD Cards

It looks like a bugs life can be pretty busy now a days, especially when they continue to infestate the Android OS.  In addition to still bearing some SMS issues, it looks like 2.3 Gingerbread has found a new gaping whole in the software.  According to Xuxian Jiang, a security researcher at North Carolina State University, the Android 2.3 firmware has revealed a new bug, one that could possibly allow malicious sites and attackers alike to gain access to the content of your microSD card.  Jiang is also an assistant professor with the school and has stated in an advisory that pertinent and vital content like banking info, photos and voicemails could be extracted and routed to a remote server of choice.  In an email sent to eWeek, Jiange also adds that his findings were not particularly difficult to implement and only requires basic knowledge of JavaScript and Android.

It was thought that a similar bug as this one was resolved in previous versions of Android, however, Jiang states that this fix can easily be bypassed.  So, in a sad state of affairs, it appears as though there is nothing you can do to prevent the leak, with the exception of just flat out removing your SD card or staying away from malicious links, if you can.

A couple of days ago, Jiang brought his findings to Google’s attention.  A spokesman from Google stated that their teams have developed a fix for the issue, which will be rolled out in an upcoming Android 2.3 maintenance update.  However, the spokesperson was unable to provide an approximate date or time for the update.  So, if you’re running 2.3 on your device, be aware of what sites you’re visiting and let us know what you think in the comments below.

[via engadget]

  • birbeck

    If an app is storing sensitive information in clear text on the SD card, it is broken by design. Every app has its own protected storage and sensitive information should always be encrypted or hashed regardless of where it is stored. If a website can steal data from your sdcard, that is not a bug or vulnerability of android per se.