Android 2.3 Still Vulnerable To Previously “Fixed” Data Theft

Do you remember that old vulnerability in Android 2.2 that allowed an attacker to grab data off an SD card, provided they knew the absolute path of a file and were able to get a user to visit a specially crafted site? Well, Google specifically stated they would fix the issue in 2.3 Gingerbread. It would seem that they did indeed patch something in a hotfix – but the issue cropped up again. Xuxian Jiang, an assistant professor in the Department of Computer Science at North Carolina State University has confirmed with Google’s Security team that a related vulnerability still exists in the “shipping” branch of Gingerbread. This means that the fabled Nexus S is being boxed, bought and used with a very exploitable security hole. Fortunately, the team says they are unaware of any active exploitation of this in the wild.

With manufacturers and carriers only now upgrading devices to the old and relatively antiquated releases of 2.1, how many devices does this leave vulnerable? As far as it’s known, 2.2 devices have not received an update that completely closes this security hole. It also looks as if all the new devices on the horizon that are slated to be released with Android 2.3 may be vulnerable to this as well. Google may deny that fragmentation is a problem for users, but when security is at hand and you can’t patch your mobile device due to the OS being fingered by 3 different companies before you get it (Google, OEM, carrier) then it should be a huge concern for consumers. For those enterprising users who want take all attempts to reduce their risk, it is recommended that you use a third party browser or completely disable javascript in the stock browser until the issue is resolved.