A Attack in the Android browser could permit an attacker to steal the user's local data.
Problem arises because the Android browser doesn't prompt the user when downloading a file. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort," he noted.
For the demo android first created a file on the SD card of the Android device. Next, he visited a malicious page and watched as it grabbed the file and automatically uploaded it to a server.
Protective Measures
The Android Security Team responded within 20 minutes of Cannon's notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated.
In the meantime, since not all gadget manufacturers provide timely Android updates, Cannon suggests a few steps users can take to protect themselves, including:
- Disabling JavaScript in the browser.
- Watching for suspicious automatic downloads, which should be flagged in the notification .
- Using a browser such as Opera Mobile, which prompts the user before downloading files.
- Unmounting the SD card.
0 comments:
Post a Comment