The Lookout Blog

Android Browser Flaw Discovered

Security researcher Thomas Cannon recently demonstrated a vulnerability in Android that could allow an attacker access to a user’s private information.  In essence, it is possible for a malicious website to convince the Android browser to download a file to a predictable location, rendering and executing JavaScript in a local context. This happens without prompting the user and can result in exposing local files, for example photos, that are in a predictable location.

Cannon demonstrated this flaw via video yesterday by retrieving a file from the phone and then posting it to a remote site. As expected, the Google security team responded very quickly and is committed to a fix in the upcoming Gingerbread (Android 2.3) maintenance release.  Until a fix is available for your device, you may consider the following options to stay extra safe:

• Only visit websites you trust.
• Disable JavaScript in the browser.
• Watch for suspicious automatic downloads, which should be flagged in the notification area. Downloads shouldn’t happen silently in the background.
• Use a browser such as Opera Mobile, which prompts the user before downloading files.
• Unmount the SD card. To unmount the SD card, go to Settings –> SD & phone storage and click “unmount SD card”. According to Cannon, this could have an impact on the usability of the device for some situations.

We’ll keep you updated as we hear from the carriers and manufacturers as to when they release a fix for this vulnerability.