back to article Drive-by exploit slurps sensitive data from Android phones

A computer scientist has found a vulnerability in the latest version of Google's Android operating system that can be exploited to disclose sensitive user information. The data-stealing bug in Android 2.3, aka Gingerbread, allows attackers read and upload pictures, voicemail and other data stored on a handset's SD memory card, …


This topic is closed for new posts.
  1. Hans 1

    Fragmentation means customers on their own

    Android fragmentation, the unwillingness of the vendors to update their Android-based kit regularly will mean your data will not be safe on Android ... especially since you have to download a program that only runs on Windows (AFAIK, could not find Mac equivalent - Linux?) to update SE's Android kit.

    Have an updater app on the phone. Have themes. Vendors should be forced to support updates for two years at least ... and SLA for "by when" a new version "must" be on the phone.

    They need to get their act together!

    1. bazza Silver badge


      It would be good if Andoid did have an updater and vendors operated under an SLA such as that.

      Unfortunately I don't see how Google can put the genie back in the lamp now that Android is out there and becoming pervasive. If they were going to try and place an updater on the device they would suddenly run in to the problem of Google having to be totally familiar with the hardware of each and every handset. I don't think that's going to happen. And I don't see how anyone could ever force the vendors (i.e. the networks, not the manufacturers) to stick to an SLA when they're not ultimately in control of the update cycle either.

      It is clear Google did little or no thinking at all about the adoption and evolution of Android. They did think about it's usage - they want us to give all our data to them and their cloud so that they can make money charging for the service and apps, and showing us adverts. Unfortunately for them the full commercial potential of that is not going to be realised if Android gains a reputation as being a dodgy place to put all your really valuable data. For example, internet banking is great, but it's a scary enough thing to do even with OS updates, virus checkers, https, firewalls, etc. in place. Now imagine doing internet banking knowing that whatever protection measures are in place are probably buggy and aren't getting fixed? Who would do that?

      Reputation is everything. Google will be keen for Android to have a good security reputation. Security researchers are keen to have a reputation for being able to find security problems. If Android starts looking easy to find problems with then expect security researchers to bundle in for the feast. The bug list will grow, and Android starts looking crap. The firey gaze of security researchers and hackers is a truly powerful force. They've put MS through the mill, and maybe MS are emerging stronger for it. There's no reason why Android won't be similary grilled, especially as anyone can see the source code (though in a way I suspect that the hacking tools developed to probe closed source systems like Windows are a more efficient way of attacking open systems like Linux than reading the Linux source code...)

      Google also has to get serious about fixing bugs in older versions so that old handsets can be fixed. People are buying these expensive things on 2 year contracts; how pleased are they when six months in they're told that their roms are at the end of the line and that their expensive device is now dangerous to use in the intended way because all their data will get stolen? These things are not PCs, they can't have a bit more memory and a new disk thrown in like a desktop or laptop can. Bug fixing in only the latest version simply cuts off the millions of users who can't upgrade to shiny new hardware yet. How can Google fix that? Assuming the hardware remains too expensive to be disposable, they can't. Not at present, not without taking overall control of the firmware that actually ends up in the roms of peoples' handsets.

      Which is exactly what Apple have done, and Microsoft too. MS might benefit significantly - Android has shown that there can be an Apple alternative, and MS might (might?) start looking like a safer alternative to Android. In a way it almost doesn't matter how buggy iOS and WP7 are at the moment; they have the potential to become less buggy (iOS less so than WP7 because Apple are also a hardware vendor and want you to upgrade). Android doesn't.

      MS's ARM move could prove a smart thing. No matter what anyone thinks about MS they have come on leaps and bounds in addressing security problems, and are definitely better at it than Apple, Adobe, etc. They can leverage all those years of bug fixes with their Windows port to ARM, slap on the WP7 GUI on top instead of Windows desktop, and if they're lucky get instant step up in the mobile market place.

    2. Sean Gray


      I agree that vendors should be forced to support updates but I'm not sure what you're talking about when you refer to a Windows-only updater app - my Android updates itself quite happily over the air - I very rarely plug it into any computer at all.

      Can we have an Android icon yet?

    3. batfastad
      Jobs Horns

      Agree to an extent

      There will always be vulnerabilities, especially in newer platforms.

      However the network operators should be forced to push out firmware updates more frequently.

      There is a software update program on the phone.

      Problem is the network operators are so slow to push the updates out so they can do their precious branding!

      I can understand a delay while the handset manufacturer does testing. But it took O2 an extra 5 months to release 2.2 after it had been made available by HTC for the Desire.

      1. Anonymous Coward

        Re: Agree to an extent

        "I can understand a delay while the handset manufacturer does testing. But it took O2 an extra 5 months to release 2.2 after it had been made available by HTC for the Desire."

        Which is simply because that's not yet a competitive factor when most people make their purchasing decisions.

        If enough of us factor that in when purchasing, then they will release the updates faster. They shouldn't be 'forced' to act faster, they should realise it's in their commercial interests to do so.

    4. Giles Jones Gold badge


      I wouldn't call it fragmentation, it's just they don't make any money giving you OS software but they do when you get a new phone.

      1. Goat Jam


        . . . when I go elsewhere for a phone because your customer service and attitude sucks.

        I'll be telling all my friends about it too.

    5. DrXym

      Wrong Hans

      "Android fragmentation, the unwillingness of the vendors to update their Android-based kit regularly will mean your data will not be safe on Android ... especially since you have to download a program that only runs on Windows (AFAIK, could not find Mac equivalent - Linux?) to update SE's Android kit."

      Actually it will be perfectly safe, assuming you purchase phones from a company which supports their phones with firmware updates as necessary. I assume most corporate customers have pockets deep enough to entitle them to that level of support, and consumers can pick and choose from the various handset manufacturers.

      We already know certain manufacturers are more forthcoming with updates than others - pick those if security updates are top priority. Sony Ericsson is one of the worst in providing updates and HTC is one of the better. Choose accordingly.

      Android is probably higher risk than other phone OS's, by virtue of being such an attractively large target. I think it would be beneficial if Google & other stakeholders were to have some kind of security clearing house where issues could be addressed in a coordinated fashion. On this particular bug, it would seem sensible that phone finds a way to obfuscate the path to the SD card (thus making paths unguessable), or display some permission dialog before permitting access to a file.

      I do agree that all phone manufacturers should be required to support their phones to some level. The guarantee that covers the physical phone should also cover the software including the fixing of any security / power / stability related issues.

    6. Anonymous Coward

      Open Source operating systems

      "Vendors should be forced to support updates for two years at least ... "

      Forced. Hmm. By whom?

      You see, the trouble with Open Source operating systems like Android is that is isn't really compatible with 'forcing', however well-intentioned.

      You see 'forcing' isn't freedom, and as soon as you add a restriction to a open source project, users will fork off and use a less restrictive variant.

      Now I'm not saying that open source is bad, and Apple with their extreme control is good. Gosh no. But I do think this is a useful lesson on the limitations of the open source model.

  2. heyrick Silver badge

    Abandon privacy all ye who enter here

    Ditto everything Hans 1 said. And add extra because the built-in browser, while nifty and good-looking, is APPALLING when it comes to basic security issues. There's no filtering what can run on the browser (a la NoScript). There's no per-site preferences, scripting is either "on" or "off" (likewise Flash, etc). There's not even a way to view/edit/manage remembered passwords (if any). I will wait patiently for some version of Firefox for Android.

    Right now marks my first week of owning an Android phone and it is pretty amazing compared to the sort of stuff I am used to. However it seems to me that the big flaw is Android is that it seems to be a case of some developers throwing in every single "awesome" feature they could think of, yet the system is not mature enough to have the features you really need. For example, using the Motoblur version as an example (and there, as Hans said, is fragmentation - there appears to be a huge lack of consistency between different brands), there is a useful "Data saver" to help me not burn silly amounts of data when on EDGE/3G. But the actual implementation is broken in that the news app will not sync a dozen RSS feeds, but the mail app will try to pull a 10Mb attachment to an email. It should, for a message that size, retrieve the headers and prompt if you really want to do that over mobile comms. But the system is immature. Far better for cool bells and whistles. Take for example to Market. You select an application, you get asked to accept the required permissions. Um, so where are the tick-boxes to say "you can read my SD card but you ain't touchin' my contacts list"? Why does the app have the right to "access files and data on SD card"? Why is there no sandbox like /sdcard/app/<appname> ? Maybe in a few years when people stop going "oh wow" and start thinking what they really want and need we'll see basic security and privacy issues tightened up. [and no, "rooting" the device is out of the question, these topics should be addressed "out of the box"]

    I completely understand why Google, as an advertising playground, failed to address these points. But to provide a system with such a lack of thought for the end-users wishes and desires is, frankly, a bit shit. No, I do *not* want Facebook to track everywhere I go thanks to the "Like" button. No, I don't want any number of arbitrary scripts to be fetched and run (especially when out in the sticks, the net runs at around 10Kb/sec).

    However, the title of this post, sums up my general opinion of Android so far. It is way too eager to share an awful lot of things with an awful lot of entities I don't know. I turned off the GPS because it was a bit disconcerting when a weather app started to ask me for a post code and after a moment of contemplation, told me where I was. Under my breath I told it where it could go... ;-)

    So here we have yet another story of loaded links doing evil things. I guess it is a welcome change that it isn't Windows, but on the other hand you do wonder when Android will stop being feature bloat and start being core functionality. The fact that my (new) phone runs 2.1 and might some day run 2.2 while the devs are busy with 2.3 (and by then probably 2.5) shows part of the problems with the system. Perhaps half of my pet quirks are already fixed? And I'll see this when? When Motorola get around to it? Is that a "when" or is that an "if"?

  3. Anonymous Coward

    How secure are these smart phones?

    Since I have my doubts the data slurping behemoth known as google wants to be unable to slurp data from your android phone, how secure are they? I know iphones have had their vulnerabilities too, how secure are they? I'm really put off getting one for a while until there's some maturity and maybe security apps on them. Obviously pc os's have been around for ages and they still have their fair share of holes, but will owning a smart phone be like owning a house with the windows and doors locked, or like handing the keys to thieves in comparison?

  4. Anonymous Coward
    Black Helicopters

    Color me paranoid...

    A bug that allows someone to slurp data off an android if they know who/what to look for?

    Hmmm. So if I were Google, wouldn't I want to slurp your personal files and data that you have on your phone to better monitor and determine you usage needs and send you directed ads?

    Yeah, I'm being paranoid, but this from a company that has tossed your personal privacy out the window with the bath water.

    1. DrXym

      Yes paranoid

      Google already have a way to gather info about you. They provide services that people use everyday and put them into phones as the default - search, maps, docs, email etc. There is no need to do something underhand for which they'd be flayed alive. Besides if they wanted to upload files, they could just embed some code into Maps or Gmail or similar which just grabbed it straight from the SD and uploaded it. I.e. there is no need for an exploit.

      Any issue with paths in the browser is a security flaw, nothing more or less. A serious flaw but one which has a solution - don't upload of any kind without explicit user permission. A second level of security would be to prevent the browser accessing file:// urls under any circumstances, or at least create a small hash (e.g. 8 chars) which is randomly assigned to the phone and must be must be prepended to the path in the file:// url for it to function properly.

      1. Anonymous Coward
        Black Helicopters


        Google has ways, but can only gather information to a point.

        Getting other ways also means collecting different information which may provide more insight in to you and your habits.

        In reality you have two things... getting to market first, flaws and all in an effort to capture market share. (Microsoft tactics 101). The second... provide a way to capture information which if caught, one can say mea culpa.

        (Plausible denial)

        We've seen this before. Not to mention that they can capture a lot more data than you think.

  5. Zobbo


    My Magic got Froyo over the air. I've never installed anything for it, I just use it like a USB drive to transfer files and all updates magically appear over 3G. Having said that, it was the first update since 1.6 so I think security exploits like this could be a major problem if updates are so slow to appear, so I agree with the rest of the post. Also the carrier is always emphasizing that Google control updates (mine is a google branded phone) so not really the fault of the carrier in this case.

  6. EyeCU
    Jobs Horns

    RE Hans

    Errr... no need for an update app as it is built into the OS. No you don't have to download a windows app as both apps from the markey place and OS upgrades can be done OTA.

    I do agree that vendors should be forced to provide updates for at least 2 years - Motorola are seriously getting on my nerves now with the delay deploying Froyo to the Milestone. I will never buy a Motorola product again, but I will buy another Android phone. This is something us non-fruity obsessed people like to call choice.

    Much better than one phone to rule them all.

    1. kain preacher

      are sure

      It's motorola's fault. I have Motorola phone and Verizion seems to update it fairly fast.

      1. EyeCU

        Certain its Motorola at fault

        Have a look at the Milestone forums. Lots of complaints from all over the world as the U.S. gets all the updates while the rest of the world are left waiting. Outside the U.S. the phone was sold without a carrier, we had no subsidies and paid full price for it and yet don't get any kind of quality support. Every region has had the same thing - update expected early Q3 2010, then changed to early Q4, then late Q4 and has recently been changed to early Q1 2011. Not only that but the U.S. version the Droid was sold with the bootloader unlocked. When they started selling it outside the U.S. they locked the boot loader to stop us upgrading it ourselves.

        This forum has been going since last may

        It is listed as the Milestone A583. it's a shame as the quality of the hardware is great, but the lack of support afterwards has lost them any future sales they might have had from me.

    2. Mark Olleson

      Milestone, millstone?

      Title says it all.

  7. Shadowmanx2009

    Poor Selling Point

    Makes you wonder if Apple was right to lock their phone down so tightly! Hate having to say that.

  8. brain_flakes

    What SD card?

    The Nexus S doesn't have an SD card slot

    1. Anonymous Coward
      Anonymous Coward


      The OS still mounts the phones storage area as SD, with or without card.

  9. Fred 24


    Javascript off and alls ok.

    It seems to fetch pages faster with it off.

  10. Robert Carnegie Silver badge

    I'm planning an Android purchase. Guess I have another reason to use Opera.

    Then again, if you save your files in folder abc1247xy32mypinnumber then you're probably quite safe. As long as no one knows that.

    Hey, what if someone steals your phone and pops the SD card right out of it? Vulnerability ahoy!

  11. bexley

    gone are the days...

    ...of propriety phone operating systems that nobody was interesting in attacking, these things are running full blown linux and windows now.

    They must be updated and supported like any other distribution.

    Phone vendors have to get much better in providing updates (samsung currently dont update android at all) or make their phones hardware to a standard and pass the operating system responsibility to the end user - like most other hardware.

    I predict that sooner or later we will be treating phones the same way we treat pc's. Install the OS of our choice and take responsibility for our own updates

  12. This post has been deleted by its author

  13. Anonymous Coward

    another scare article

    Not in the wild.

    Article should have "POC" in the title.

    1. Anonymous Coward


      and it should also have said 'user clicks on dodgy link and gets infected/data slurped/bot netted...'

      Now I think that this just may have been done before, not sure though, this type of get the user to click a link attack could be brand spanking new.

This topic is closed for new posts.

Other stories you might like