Data Leak Vulnerability Haunts Latest Android (Gingerbread)

01.28.2011 |

Android version 2.3 contains a data leak vulnerability, similar to that found in previous versions.

A computer security researcher at NC State University, Xuxian Jiang, has identified a security vulnerability in the latest version of Google Android, version 2.3, also known as Gingerbread. The vulnerability gives attackers access to user data – similar to a vulnerability identified in previous iterations of Android, which Google thought it had fixed with the latest version.

Basically, simply by clicking on a link, Android users may give attackers access to personal information. If exploited, the vulnerability would allow a malicious Web site to read and upload the contents of any file stored on the phone’s microSD (memory) card. Information on the SD card could include saved voicemails, photos or online banking data.

The vulnerability would also allow attackers to find out all of the applications installed on a phone, and upload many of the applications onto a remote server – including all built-in applications.

Jiang, who discovered the vulnerability when working on an Android-related research project, has confirmed the vulnerability using Gingerbread being run on a Nexus S phone.

A similar vulnerability was reported on earlier versions of Android phones, leading Google to make changes in Gingerbread designed to address the flaw. However, Jiang has found that the Gingerbread fix can be bypassed.

So, what can be done to mitigate the vulnerability? The simplest way to protect your information is to remove or disable the SD card in your phone. However, that will leave you unable to save voice mail or photos. You could also disable the JavaScript function in your browser. But that would affect your ability to access online content. Another option is to switch to a third-party browser, such as Firefox.

Now that this information is out there, programmers can begin to develop means of addressing the vulnerability.

Tags:


65 Responses to “Data Leak Vulnerability Haunts Latest Android (Gingerbread)”

  1. [...] There are three easy ways to avoid the problem — switch browsers to something that’s not open source, stop using the SD storage, or pay attention to what you keep on the card.  Your SD card was designed to be unsecure, and easy to access, so it is.  [NC State University] [...]

  2. [...] There are three easy ways to avoid the problem — switch browsers to something that’s not open source, stop using the SD storage, or pay attention to what you keep on the card.  Your SD card was designed to be unsecure, and easy to access, so it is.  [NC State University] [...]

  3. [...] NCSU] Related content: Nexus One dapatkan Update OTA Android [...]

  4. [...] Award from the National Science Foundation…A computer researcher at NC State identifies a security vulnerability in the latest version of the Google Android…An NC State research team creates a gallium [...]

  5. Derek says:

    Very insightful post, Android is really going to have to do something about the holes in the os. Let’s hope in 2011 they can patch these issues up.

  6. [...] Abstract readers may recognize Jiang’s name. We wrote earlier this year about his identification of a security vulnerability in Android 2.3 (Gingerbread). var [...]

  7. [...] software companies to detect or block the malware. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread). var addthis_language = 'en'; Tags: [...]

  8. [...] menu on the homescreen / settings / about phone / Android version).  Turns out, even Android 2.3 Gingerbread may have some similar vulnerabilities. Google has in the past responded quickly to these threats and removed them remotely from your phone [...]

  9. [...] pieces of Android malware last month, Plankton and YZHCSMS. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread). var addthis_language = 'en'; Tags: [...]

  10. It seems Microsoft has just found security vulnerabilities in Chrome as well, hopefully this isn’t going to be a trend for Google

  11. John Beiv says:

    Very insightful post, Android is really going to have to do something about the holes in the os. Let’s hope in 2011 they can patch these issues up.

  12. Security issues with all models of mobile phones is going to become a major concern as the number of users increases. It reminds me of the early days of the Internet when it really was the Wild West .What are the developers doing to improve security issues?

  13. I am wondering will the new ice cream sandwich have a similar data leak problems? I am wondering because I am about to upgrade my android phone.

Leave a Reply