Android 2.3 Shows Security Bug, Can Gain Access To Content On microSD Cards

It looks like a bugs life can be pretty busy now a days, especially when they continue to infestate the Android OS.  In addition to still bearing some SMS issues, it looks like 2.3 Gingerbread has found a new gaping whole in the software.  According to Xuxian Jiang, a security researcher at North Carolina State University, the Android 2.3 firmware has revealed a new bug, one that could possibly allow malicious sites and attackers alike to gain access to the content of your microSD card.  Jiang is also an assistant professor with the school and has stated in an advisory that pertinent and vital content like banking info, photos and voicemails could be extracted and routed to a remote server of choice.  In an email sent to eWeek, Jiange also adds that his findings were not particularly difficult to implement and only requires basic knowledge of JavaScript and Android.

It was thought that a similar bug as this one was resolved in previous versions of Android, however, Jiang states that this fix can easily be bypassed.  So, in a sad state of affairs, it appears as though there is nothing you can do to prevent the leak, with the exception of just flat out removing your SD card or staying away from malicious links, if you can.

A couple of days ago, Jiang brought his findings to Google’s attention.  A spokesman from Google stated that their teams have developed a fix for the issue, which will be rolled out in an upcoming Android 2.3 maintenance update.  However, the spokesperson was unable to provide an approximate date or time for the update.  So, if you’re running 2.3 on your device, be aware of what sites you’re visiting and let us know what you think in the comments below.

[via engadget]

About the Author: Joe Sirianni

Joe was born in New Jersey and spent most of his childhood moving around from state to state. He eventually made his way to Pennsylvania where he met his Portuguese beauty and made her his wife. He now has three great kids and full access to all of the Portuguese food he can eat. Joe's love for mobile technology began when he bought his first Palm Pilot, a Palm M130 and left it on top of his car, driving off, causing it to smash into a thousand pieces. Forced to buy a new device, he quickly discovered that specs were changing so rapidly he was buying a new device every six months just to keep up. Since then, he has constantly felt the need to have the latest and greatest. When the "smartphone" revolution began and integrating cell phones and PDA's was the norm, he quickly jumped to Windows Mobile for several years until the first Android device was launched, the T-Mobile G1. Joe began appreciating all of the free utilities Google provided and sold his soul (his precious data) to Google long before they got into the mobile OS business. So, there was no hesitation at all for him to jump on board and ride the Android train as an early adopter. And boy has it been a blast. Joe now works in the Engineering & Operations dept for a major mobile carrier where he remotely troubleshoots cell sites and loves being an Editor for TalkAndroid.

  • birbeck

    If an app is storing sensitive information in clear text on the SD card, it is broken by design. Every app has its own protected storage and sensitive information should always be encrypted or hashed regardless of where it is stored. If a website can steal data from your sdcard, that is not a bug or vulnerability of android per se.